CVE-2025-67748
Unsafe Module Import Bypass in Fickling Allows Unsafe Pickle Execution
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trailofbits | fickling | 0.1.6 |
| trailofbits | fickling | 0.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67748 is a vulnerability in the Fickling Python package (versions prior to 0.1.6) where the 'pty' module was missing from the blocklist of unsafe imports. This omission allowed attackers to craft malicious pickle files that use the pty.spawn() function to execute arbitrary code. Fickling's heuristic for detecting unsafe pickle files relies on identifying unused variables left on the Python VM stack after execution, but the use of pty.spawn() with a trivial operation to mark the variable as used bypassed this detection, causing such malicious pickles to be incorrectly flagged as 'LIKELY_SAFE'. This flaw enables arbitrary code execution upon deserialization of these pickle files. The issue was fixed by adding 'pty' to the unsafe imports blocklist in version 0.1.6. [2, 3, 1]
How can this vulnerability impact me? :
This vulnerability can impact users or systems that rely on Fickling to vet pickle files for security issues. Because malicious pickle files using pty.spawn() can bypass Fickling's detection, an attacker can execute arbitrary code on the affected system during deserialization. This can lead to unauthorized code execution, potentially compromising system integrity, confidentiality, and availability. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing pickle files for unsafe usage of the 'pty' module, specifically the use of 'pty.spawn()' which was previously not flagged by Fickling. A proof-of-concept payload can be created and inspected using Python's pickletools module. For example, you can use the following Python snippet to disassemble and inspect a suspicious pickle file: ```python import pickletools with open('suspicious.pkl', 'rb') as f: pickletools.dis(f, annotate=1) ``` This will show opcodes such as SHORT_BINUNICODE 'pty' and 'spawn', STACK_GLOBAL, and REDUCE which indicate usage of the 'pty.spawn' function. Additionally, using the updated Fickling tool (version 0.1.6 or later) to scan pickle files will help detect such unsafe pickles as it now includes 'pty' in its blocklist of unsafe modules. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Fickling to version 0.1.6 or later, which includes the fix that adds 'pty' to the blocklist of unsafe modules. This prevents malicious pickle files using 'pty.spawn()' from being incorrectly flagged as safe. Users relying on Fickling to vet pickle files should update their installations promptly. Additionally, avoid deserializing pickle files from untrusted sources to reduce the risk of arbitrary code execution. [1, 2, 3]