CVE-2026-22607
Misclassification Vulnerability in Fickling Enables Remote Code Execution
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trailofbits | fickling | to 0.1.6 (inc) |
| trailofbits | fickling | From 0.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22607 is a security vulnerability in the Python package 'fickling' (versions up to 0.1.6), which is used to analyze and classify the safety of pickle files before deserialization. The vulnerability arises because fickling does not treat the Python module 'cProfile' and its functions like cProfile.run() as unsafe. This allows a malicious pickle file that uses cProfile.run() to be misclassified as only 'SUSPICIOUS' rather than 'OVERTLY_MALICIOUS'. Since cProfile.run() can execute arbitrary Python code strings, this misclassification can lead users to mistakenly trust and deserialize malicious pickles, resulting in arbitrary code execution on their systems. The issue was fixed in version 0.1.7 by adding cProfile and related functions to the unsafe imports blocklist. [3, 1]
How can this vulnerability impact me? :
If you rely on fickling to determine whether pickle files are safe to deserialize, this vulnerability can allow attackers to execute arbitrary code on your system by crafting malicious pickle files that use cProfile.run(). This can compromise any workflow or product that uses fickling as a security gate, including machine learning model validation pipelines, model hosting platforms, security scanning tools, and CI/CD pipelines. The attacker-controlled code execution can lead to system compromise, data breaches, or other malicious activities. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using the updated version of the tool 'fickling' (version 0.1.7 or later), which includes enhanced detection for unsafe imports such as 'cProfile'. Specifically, the tool analyzes pickle files for unsafe imports and flags those using 'cProfile.run()' as overtly malicious. A suggested approach is to run fickling's analysis on pickle files to detect suspicious or malicious payloads. For example, you can use the fickling command-line interface to analyze pickle files: `fickling analyze <pickle_file>`. This will flag unsafe imports including 'cProfile'. Additionally, the test case added in the fix uses a pickle payload that imports 'run' from 'cProfile' and executes code, which can be used as a detection pattern. There are no specific network commands provided, but scanning pickle files with the updated fickling tool is the recommended detection method. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade fickling to version 0.1.7 or later, which includes the patch that adds 'cProfile' and its functions to the unsafe imports blocklist, preventing malicious pickles using 'cProfile.run()' from being misclassified as merely suspicious. Avoid relying on versions of fickling at or below 0.1.6 for security gating of pickle deserialization. Additionally, review workflows and products that use fickling as a security gate and ensure they are updated to use the patched version. If upgrading is not immediately possible, consider additional manual inspection or alternative security controls for pickle deserialization to prevent execution of attacker-controlled code. [2, 3]