Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Failure of fickling's safety gate lets an attacker-supplied pickle achieve full code execution during automated ML model loading, so AV:N/AC:L/PR:N/UI:N with total C/I/A impact.
Primary rating from Vendor (BombadilSystems).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7Blast Radius
ecosystem impact- 61 pypi packages depend on fickling (9 direct, 53 indirect)
Ecosystem-wide dependent count for version 0.1.12.
DescriptionNVD
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports - it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes - UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.
AnalysisAI
Security-control bypass in Trail of Bits fickling (≤0.1.11) neuters its MLAllowlist analysis pass so that malicious pickle files pass fickling's check_safety() gate as LIKELY_SAFE, enabling arbitrary code execution when fickling.load() deserializes them. Because UnsafeImportsML pre-registers every import in the shared reported_shortened_code set, MLAllowlist always short-circuits and never validates imports against the known-safe ML ecosystem, so any standard-library module outside the UNSAFE_IMPORTS denylist can be smuggled through. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim uses fickling ≤0.1.11 as a security gate-specifically fickling.load() or check_safety()-on an attacker-controlled pickle, and that the malicious payload relies on a module NOT present in fickling's UNSAFE_IMPORTS denylist (e.g., otherwise-benign standard-library imports) that MLAllowlist would normally have rejected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The input CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C/I/A:H = 9.8) reflects the downstream impact-arbitrary code execution via unsafe deserialization-rather than a directly network-reachable bug, since fickling itself is a library whose failure only manifests when a victim runs check_safety()/fickling.load() on an attacker-supplied pickle. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a malicious ML model (or otherwise supplies a pickle) whose payload imports a standard-library module absent from fickling's UNSAFE_IMPORTS denylist to gain code execution during unpickling. A victim on fickling ≤0.1.11 calls fickling.load() (or check_safety()) as their safety gate; MLAllowlist never evaluates the import, check_safety() returns LIKELY_SAFE, and pickle.loads() runs the payload. … |
| Remediation | Vendor-released patch: 0.1.12-upgrade fickling to 0.1.12 or later (pip install --upgrade 'fickling>=0.1.12'), which refactors shorten_code() into a pure formatter plus an explicit mark_reported() call and unregisters MLAllowlist from automatic dedup so it always runs; see PR https://github.com/trailofbits/fickling/pull/278, commit 41ce7cb01edd97072994039574a2301ebb3f463d, and release https://github.com/trailofbits/fickling/releases/tag/v0.1.12. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems using Trail of Bits fickling version 0.1.11 or earlier; implement compensating controls by disabling deserialization of untrusted pickle files or restricting fickling to validated, trusted sources only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Fickling's static analyzer through version 0.1.6 fails to properly classify the cProfile module as unsafe during pickle
Fickling's incomplete pickle analysis allows attackers to bypass security checks by using Python's runpy module to execu
Fickling's static analyzer before version 0.1.7 fails to detect several dangerous Python modules in pickled objects, ena
Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle
Fickling versions prior to 0.1.7 fail to properly detect malicious pickle payloads due to inadequate handling of the "bu
Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deseriali
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Deserialization
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41676
GHSA-mgx3-9w7v-8674