CVE-2025-67747
Last modified
CVE-2025-67747 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Trailofbits | Fickling | < 0.1.6 |
References
- https://github.com/trailofbits/fickling/pull/186Issue Tracking
- https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-67747?
How severe is CVE-2025-67747?
How do I fix CVE-2025-67747?
Are you affected by CVE-2025-67747?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST