Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attacker-supplied pickle is network-deliverable (AV:N) and needs no auth (PR:N), but a victim must run the scanner/loader on it (UI:R); a successful bypass yields full RCE (C/I/A:H).
Primary rating from Vendor (BombadilSystems).
CVSS VectorVendor: BombadilSystems
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.
AnalysisAI
Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle files that the tool's check_safety() gate rates LIKELY_SAFE with zero findings. Because the standard-library modules _posixsubprocess, site, and atexit are missing from the UNSAFE_IMPORTS denylist in fickle.py, payloads invoking _posixsubprocess.fork_exec, site.execsitecustomize, or atexit._run_exitfuncs pass the scanner and are then deserialized and executed by fickling.load(), which chains check_safety() into pickle.loads() as its security gate. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim use a vulnerable fickling version (≤ 0.1.10) to scan or load an attacker-controlled pickle - the pickle must import one of the three un-denylisted stdlib modules (_posixsubprocess for fork_exec, site for execsitecustomize, or atexit for _run_exitfuncs) to achieve code execution while still receiving a LIKELY_SAFE verdict. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) reflects a network-deliverable, low-complexity, unauthenticated attack that requires user interaction - specifically, a victim must scan or load an attacker-supplied pickle with fickling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a malicious ML model (e.g., a PyTorch/pickle artifact) to a model hub or supplies it to a victim who uses fickling to vet untrusted pickles. The victim runs fickling.load() or check_safety() on the file; because the payload uses _posixsubprocess.fork_exec, fickling reports LIKELY_SAFE and then deserializes it, executing an arbitrary binary on the victim's host. … |
| Remediation | Vendor-released patch: upgrade fickling to v0.1.11 or later (https://github.com/trailofbits/fickling/releases/tag/v0.1.11), which adds the missing modules to the denylist per PR https://github.com/trailofbits/fickling/pull/272 and commit e8408615b63adf034f891f653692ab9b51f0f5af; review the advisory at https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running fickling ≤0.1.10 and identify which use cases process untrusted pickle sources; prioritize discontinuation or isolation of such systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41675
GHSA-v8cr-9jrc-fwf9