VYPR
High severityOSV Advisory· Published Dec 16, 2025· Updated Dec 16, 2025

Fickling has Code Injection vulnerability via pty.spawn()

CVE-2025-67748

Description

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn() being incorrectly flagged as LIKELY_SAFE, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ficklingPyPI
< 0.1.60.1.6

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.