cvedb.io
CVE-2025-67747
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2025-12-16T01:15:52.803 · Last modified 2026-06-17T09:58:04.753

Summary

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.

Affected products

trailofbits — fickling

Does this affect you?

Add your gear to cvedb and we'll alert you only when trailofbits ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.