Description
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
Published: 2026-01-10
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Fickling is intended to detect unsafe deserialization by analyzing Python pickles. In versions up to 0.1.6 the tool incorrectly classifies pickles that invoke Python’s runpy module—specifically runpy.run_path() or runpy.run_module()—as merely suspicious, not overtly malicious. An attacker can embed these calls within a malicious pickle; if an environment trusts Fickling’s markings and proceeds to deserialize such a file, the runpy calls will execute attacker‑controlled code, providing full code execution on the system.

Affected Systems

The vulnerability affects the Python package Fickling from the Trail of Bits vendor. All releases up to and including 0.1.6 are impacted. The fix is available in 0.1.7 and later versions.

Risk and Exploitability

The CVSS score is 8.9, indicating high severity, while the EPSS score is below 1%, suggesting a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. An attacker would craft a malicious pickle that triggers runpy execution; if a system trusts Fickling’s classification and deserializes the payload, arbitrary code execution is achieved. The attack vector requires delivery of a crafted pickle to the target, typically via file ingestion or network transfer, but does not rely on other infrastructure or privileged access.

Generated by OpenCVE AI on April 18, 2026 at 07:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fickling to version 0.1.7 or later immediately.
  • If upgrade is not feasible, augment pickle handling so that deserialization does not rely solely on Fickling’s output; implement additional checks such as a whitelist or manual inspection for runpy usage.
  • Implement an environment policy that treats any pickle invoking runpy as overtly malicious and blocks its execution until a validated patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 07:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfq2-52f7-7qvj Fickling has a bypass via runpy.run_path() and runpy.run_module()
History

Fri, 16 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Trailofbits
Trailofbits fickling
Vendors & Products Trailofbits
Trailofbits fickling

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
Title Fickling has a bypass via runpy.run_path() and runpy.run_module()
Weaknesses CWE-184
CWE-502
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Trailofbits Fickling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:58:14.707Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22606

cve-icon Vulnrichment

Updated: 2026-01-13T19:58:00.953Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:49.637

Modified: 2026-01-16T18:59:35.140

Link: CVE-2026-22606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses