High severityOSV Advisory· Published Jan 10, 2026· Updated Jan 13, 2026

Fickling has a bypass via runpy.run_path() and runpy.run_module()

CVE-2026-22606

Description

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ficklingPyPI	< 0.1.7	0.1.7

Affected products

Trailofbits/FicklingOSV
Range: master, v0.0.1, v0.0.2, …

Patches

9a2b3f89bd05

Add runpy to unsafe modules

https://github.com/trailofbits/ficklingThomas ChauchefoinJan 7, 2026via ghsa

commit

2 files changed · +29 −0

fickling/fickle.py+1 −0 modified

@@ -878,6 +878,7 @@ def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
                 "pty",
                 "marshal",
                 "types",
+                "runpy",
             ):
                 yield node
             elif "eval" in (n.name for n in node.names):

test/test_bypasses.py+28 −0 modified

@@ -83,3 +83,31 @@ def test_missing_marshal_and_types(self):
         )
 
         self.assertGreater(check_safety(opcodes).severity, Severity.LIKELY_SAFE)
+
+    # https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj
+    def test_missing_runpy(self):
+        pickled = Pickled(
+            [
+                op.Proto.create(5),
+                op.Frame(46),
+                op.ShortBinUnicode("runpy"),
+                op.Memoize(),
+                op.ShortBinUnicode("run_path"),
+                op.Memoize(),
+                op.StackGlobal(),
+                op.Memoize(),
+                op.ShortBinUnicode("/tmp/malicious.py"),
+                op.Memoize(),
+                op.TupleOne(),
+                op.Memoize(),
+                op.Reduce(),
+                op.Memoize(),
+                op.Stop(),
+            ]
+        )
+        res = check_safety(pickled)
+        self.assertGreater(res.severity, Severity.LIKELY_SAFE)
+        self.assertEqual(
+            res.detailed_results()["AnalysisResult"].get("UnsafeImports"),
+            "from runpy import run_path",
+        )

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wfq2-52f7-7qvjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-22606ghsaADVISORY
github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.pyghsaWEB
github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66ghsax_refsource_MISCWEB
github.com/trailofbits/fickling/pull/108ghsaWEB
github.com/trailofbits/fickling/pull/187ghsaWEB
github.com/trailofbits/fickling/pull/195ghsaWEB
github.com/trailofbits/fickling/releases/tag/v0.1.7ghsax_refsource_MISCWEB
github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3ghsaWEB
github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2ghsaWEB
github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvjghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000