PT-2026-2227 · Fickling · Fickling
Thomas Chaufein
+1
·
Published
2026-01-09
·
Updated
2026-01-11
·
CVE-2026-22607
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Fickling versions up to and including 0.1.6
Description
Fickling, a Python pickling decompiler and static analyzer, incorrectly classifies pickles utilizing the
cProfile.run() function as SUSPICIOUS instead of OVERTLY MALICIOUS. This misclassification can lead users to execute attacker-controlled code if they rely on Fickling’s output to determine pickle safety for deserialization. This issue impacts any workflow or product using Fickling as a security gate for pickle deserialization.Recommendations
Versions up to and including 0.1.6 should be updated to version 0.1.7 or later.
Exploit
Fix
Incomplete List of Disallowed Inputs
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Fickling