CVE-2025-67748
HIGHfickling < 0.1.6 - Unsafe Pickle Misclassification via pty Module Import Bypass
Title source: llmDescription
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2
Issue Tracking, Patch x_refsource_misc
https://github.com/trailofbits/fickling/pull/108
Issue Tracking, Patch x_refsource_misc
https://github.com/trailofbits/fickling/pull/187
Scores
CVSS v3
7.8
EPSS
0.0024
EPSS Percentile
14.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-184
CWE-94
CWE-502
Status
published
Products (2)
pypi/fickling
0 - 0.1.6PyPI
trailofbits/fickling
< 0.1.6
Published
Dec 16, 2025
Tracked Since
Feb 18, 2026