VYPR
← All advisories
High severityOSV Advisory· Published Dec 16, 2025· Updated Dec 16, 2025

Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list

CVE-2025-67747

Description

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing marshal and types from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for types.FunctionType and marshal.loads. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ficklingPyPI
< 0.1.60.1.6

Affected products

1

Patches

1
4e34561301bd

Add marshal and types to unsafe modules

https://github.com/trailofbits/ficklingThomas ChauchefoinDec 15, 2025via ghsa
commit
2 files changed · +48 0
  • fickling/fickle.py+2 0 modified
    @@ -875,6 +875,8 @@ def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
                 "sys",
                 "builtins",
                 "socket",
+                "marshal",
+                "types",
             ):
                 yield node
             elif "eval" in (n.name for n in node.names):
  • test/test_bypasses.py+46 0 added
    @@ -0,0 +1,46 @@
+import marshal
+from unittest import TestCase
+
+import fickling.fickle as op
+from fickling.analysis import Severity, check_safety
+from fickling.fickle import Pickled
+
+
+class TestBypasses(TestCase):
+    # https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3
+    def test_missing_marshal_and_types(self):
+        code = compile('import os\nos.system("id")', "<string>", "exec")
+        opcodes = Pickled(
+            [
+                op.Proto(4),
+                op.Frame(0),
+                op.ShortBinUnicode("marshal"),
+                op.ShortBinUnicode("loads"),
+                op.StackGlobal(),
+                op.Memoize(),
+                op.BinGet(0),
+                op.ShortBinBytes(marshal.dumps(code)),
+                op.TupleOne(),
+                op.Reduce(),
+                op.Memoize(),
+                op.ShortBinUnicode("types"),
+                op.ShortBinUnicode("FunctionType"),
+                op.StackGlobal(),
+                op.Memoize(),
+                op.BinGet(2),
+                op.BinGet(1),
+                op.EmptyDict(),
+                op.TupleTwo(),
+                op.Reduce(),
+                op.Memoize(),
+                op.BinGet(3),
+                op.EmptyTuple(),
+                op.Reduce(),
+                op.Memoize(),
+                op.ShortBinUnicode("gottem"),
+                op.Build(),
+                op.Stop(),
+            ]
+        )
+
+        self.assertGreater(check_safety(opcodes).severity, Severity.LIKELY_SAFE)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.