VYPR

Fickling

by Trailofbits

pypi: fickling

Source repositories

CVEs (7)

  • CVE-2026-22612Jan 10, 2026
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7.

  • CVE-2026-22609Jan 10, 2026
    risk 0.00cvss epss 0.01

    Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules…

  • CVE-2026-22608Jan 10, 2026
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while…

  • CVE-2026-22607Jan 10, 2026
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a…

  • CVE-2026-22606Jan 10, 2026
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of…

  • CVE-2025-67748Dec 16, 2025
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in…

  • CVE-2025-67747Dec 16, 2025
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle…