Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-q5qq-mvfm-j35x

Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist
Back to all
CVE

GHSA-q5qq-mvfm-j35x

Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist

#Fickling's assessment

ctypesimportlibrunpycode and multiprocessing were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1). 

Original report

Summary

The unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks.

Details

In fickling/fickle.py lines 866-884, the unsafe_imports() method checks imported modules against a hardcoded tuple:

def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
    for node in self.properties.imports:
        if node.module in (
            "__builtin__", "__builtins__", "builtins", "os", "posix", "nt",
            "subprocess", "sys", "builtins", "socket", "pty", "marshal", "types",
        ):
            yield node

This list is incomplete. The following dangerous modules are NOT detected:

  • ctypes: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely
  • importlib: Can dynamically import any module at runtime
  • runpy: Can execute Python modules as scripts
  • code: Can compile and execute arbitrary Python code
  • multiprocessing: Can spawn processes with arbitrary code

Since ctypes is part of the Python standard library, it also bypasses the NonStandardImports analysis.

PoC

from fickling.fickle import Pickled
from fickling.analysis import check_safety, Severity
## Pickle that imports ctypes.pythonapi (allows arbitrary code execution)
## PROTO 4, GLOBAL 'ctypes pythonapi', STOP
payload = b'\x80\x04cctypes\npythonapi\n.'
pickled = Pickled.load(payload)
results = check_safety(pickled)
print(f"Severity: {results.severity.name}")
print(f"Is safe: {results.severity == Severity.LIKELY_SAFE}")
## Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged
## A truly malicious pickle using ctypes could execute arbitrary code

Impact

Security Bypass (Confidentiality, Integrity, Availability)

An attacker can craft a malicious pickle that:

  1. Imports ctypes to gain arbitrary memory access
  2. Uses ctypes.pythonapi or ctypes.CDLL to execute arbitrary code
  3. Passes Fickling's safety analysis as "likely safe"
  4. Executes malicious code when the victim loads the pickle after trusting Fickling's verdict

This undermines the core purpose of Fickling as a pickle safety scanner.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.9
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x, https://nvd.nist.gov/vuln/detail/CVE-2026-22609, https://github.com/trailofbits/fickling/pull/195, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/6b400e1a2525e6a4a076c97ccc0d4d9581317101, https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling, https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L88, https://github.com/trailofbits/fickling/releases/tag/v0.1.7

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00137%
EPSS Percentile
0.34321%
Introduced Version
0,0.0.8,0.0.1
Fix Available
0.1.7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading