CVE-2025-67747

CVSS v4.0

8.5

High

Vector

AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.6

Description Fickling, a Python pickling decompiler and static analyzer, lacks marshal and types in its list of blocked unsafe module imports. This allows attackers to create malicious pickle files that bypass Fickling’s security checks, specifically by utilizing types.FunctionType and marshal.loads. Deserializing these files can lead to arbitrary code execution on the system. This affects any user or system relying on Fickling to assess the security of pickle files.

Recommendations Versions prior to 0.1.6 should be updated to version 0.1.6 or later.

Exploit

Fix

Deserialization of Untrusted Data

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-184

Related Identifiers

CVE-2025-67747

GHSA-565G-HWWR-4PP3

Affected Products

Fickling

CVE-2025-67747

Weakness Enumeration

Related Identifiers

Affected Products

References · 10