Vulnerability Description
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Trailofbits | Fickling | < 0.1.6 |
Related Weaknesses (CWE)
References
- https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151dPatch
- https://github.com/trailofbits/fickling/pull/186Issue Tracking
- https://github.com/trailofbits/fickling/releases/tag/v0.1.6Release Notes
- https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3ExploitThird Party Advisory
FAQ
What is CVE-2025-67747?
CVE-2025-67747 is a vulnerability with a CVSS score of 7.8 (HIGH). Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both mod...
How severe is CVE-2025-67747?
CVE-2025-67747 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67747?
Check the references section above for vendor advisories and patch information. Affected products include: Trailofbits Fickling.