CVE-2025-67747
Unsafe Module Import Bypass in Fickling Enables Code Execution
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trailofbits | fickling | 0.1.6 |
| trailofbits | fickling | 0.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67747 is a vulnerability in the Python package 'fickling' (versions prior to 0.1.6) where the tool fails to block the Python modules 'marshal' and 'types' during its security analysis of pickle files. This omission allows attackers to craft malicious pickle files that use 'marshal.loads' and 'types.FunctionType' to bypass fickling's safety checks. As a result, a user who deserializes such a malicious pickle file, believing it to be safe, could inadvertently execute arbitrary code on their system. The vulnerability was fixed in version 0.1.6 by adding these modules to the blocklist of unsafe imports. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary code on your system if you use fickling to vet pickle files for security and then deserialize a malicious pickle file that bypasses fickling's checks. This could lead to unauthorized system commands being run, potentially compromising your system's integrity, confidentiality, and availability. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing pickle files with the updated version of the fickling tool (version 0.1.6 or later), which includes 'marshal' and 'types' modules in its blocklist of unsafe imports. Running fickling on suspicious pickle files will help identify malicious usage of marshal.loads and types.FunctionType that were previously missed. For example, you can run the command `fickling check_safety <pickle_file>` to analyze a pickle file. If you are using an older version, the tool may incorrectly classify malicious files as 'LIKELY_SAFE'. There is no direct network detection command provided, but scanning for pickle files and analyzing them with the fixed fickling tool is recommended. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the fickling tool to version 0.1.6 or later, which includes the fix that adds 'marshal' and 'types' to the blocklist of unsafe modules, preventing the bypass. Avoid deserializing pickle files that have not been vetted with the updated tool. Additionally, review any systems or workflows that rely on fickling for pickle file analysis and ensure they are updated to use the patched version to prevent arbitrary code execution. [3, 4]