CVE-2025-67748

CVSS v4.0

8.5

High

Vector

AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.6

Description Fickling, a Python pickling decompiler and static analyzer, contained a bypass related to missing unsafe module imports. Specifically, the pty module was not included in the block list, leading to pickles utilizing pty.spawn() being incorrectly identified as safe. This impacted users and systems relying on Fickling for pickle file security assessments.

Recommendations Update to Fickling version 0.1.6 or later.

Exploit

Fix

Incomplete List of Disallowed Inputs

Code Injection

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-94CWE-502

Related Identifiers

CVE-2025-67748

GHSA-R7V6-MFHQ-G3M2

PYSEC-2025-113

Affected Products

Fickling

CVE-2025-67748

Weakness Enumeration

Related Identifiers

Affected Products

References · 12