High severityOSV Advisory· Published Jan 10, 2026· Updated Jan 13, 2026
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection
CVE-2026-22608
Description
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ficklingPyPI | < 0.1.7 | 0.1.7 |
Affected products
2- Range: master, v0.0.1, v0.0.2, …
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-5hvc-6wx8-mvv4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22608ghsaADVISORY
- github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.pyghsaWEB
- github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/commit/d0b00d584afb5c58e38991cd544cb3889de90db6ghsaWEB
- github.com/trailofbits/fickling/pull/195ghsaWEB
- github.com/trailofbits/fickling/releases/tag/v0.1.7ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.