CVE-2026-22612
Detection Bypass in Fickling Python Pickling Decompiler
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trailofbits | fickling | to 0.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22612 is a detection bypass vulnerability in the Python package 'fickling', which analyzes Pickle bytecode by converting it to an Abstract Syntax Tree (AST). The vulnerability arises because the tool deliberately omits AST import nodes for Python's built-in modules ('__builtin__', '__builtins__', 'builtins'), a behavior called 'builtins blindness'. Since these built-in imports are skipped, the security scanner cannot detect malicious imports of dangerous built-in functions that can execute arbitrary code. This allows attackers to craft pickle payloads that evade detection by hiding imports of modules like 'os' via the built-in '__import__' function, enabling execution of arbitrary commands without being flagged by the security analysis. The issue was fixed by changing the code to always emit AST import nodes for built-in modules, restoring visibility to the scanner and preventing such bypasses. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass security detection mechanisms in the 'fickling' tool when analyzing Pickle bytecode. As a result, malicious pickle payloads that execute arbitrary code can evade detection, potentially leading to unauthorized code execution on systems that rely on 'fickling' for security analysis. This could compromise system integrity, confidentiality, and availability by allowing attackers to run harmful commands or scripts undetected. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing pickle payloads for the presence of built-in imports that are normally omitted in the AST by vulnerable versions of fickling (β€ 0.1.6). Specifically, look for pickle payloads that use the built-in __import__ function to dynamically import dangerous modules like 'os' and execute system commands. Detection can be done by running the fixed version (β₯ 0.1.7) of fickling which emits explicit AST import nodes for builtins and flags unsafe imports. A test example from the fix uses a pickle payload that calls builtins.__import__('os').system('whoami'). While no direct commands are provided, using the updated fickling tool to analyze pickle files will detect such bypasses. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade fickling to version 0.1.7 or later, where the vulnerability has been patched. The patch ensures that import AST nodes for built-in modules are emitted explicitly, preventing bypasses of the security analysis. Additionally, reviewing and blocking untrusted pickle data inputs can reduce risk. Using the updated version of fickling will restore detection of malicious pickle payloads that exploit built-in import bypasses. [1, 2, 3]