Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4802 vulnerabilities reference this CWE, most recent first.

GHSA-Q4RF-3FHX-88PF

Vulnerability from github – Published: 2021-09-01 18:27 – Updated: 2021-08-30 22:03
VLAI
Summary
YAML deserialization can run untrusted code
Details

Impact

An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.

The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

  • admin level access to the system resource type

The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:

  • create update or admin level access to a project_acl resource
  • create update or admin level access to the system_acl resource

The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.

Patches

Versions 3.4.3, 3.3.14

Workarounds

Please visit https://rundeck.com/security for information about specific workarounds.

For more information

If you have any questions or comments about this advisory: * Email us at security@rundeck.com

To report security issues to Rundeck please use the form at https://rundeck.com/security

Reporter: Rojan Rijal from Tinder Red Team

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.rundeck:rundeck-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.rundeck:rundeck-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T22:03:16Z",
    "nvd_published_at": "2021-08-30T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition.  An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.\n\nThe zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:\n\n* `admin` level access to the `system` resource type\n\nThe ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: \n\n* `create` `update` or `admin` level access to a `project_acl` resource\n* `create` `update` or `admin` level access to the `system_acl` resource\n\nThe unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.\n\n### Patches\nVersions 3.4.3, 3.3.14\n\n### Workarounds\n\nPlease visit [https://rundeck.com/security](https://rundeck.com/security) for information about specific workarounds.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@rundeck.com](mailto:security@rundeck.com)\n\nTo report security issues to Rundeck please use the form at [https://rundeck.com/security](https://rundeck.com/security)\n\nReporter: Rojan Rijal from Tinder Red Team",
  "id": "GHSA-q4rf-3fhx-88pf",
  "modified": "2021-08-30T22:03:16Z",
  "published": "2021-09-01T18:27:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rundeck/rundeck"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "YAML deserialization can run untrusted code"
}

GHSA-Q4V7-4RHW-9HQM

Vulnerability from github – Published: 2018-07-18 18:27 – Updated: 2021-06-23 15:41
VLAI
Summary
Code Execution through IIFE in node-serialize
Details

Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize().

Recommendation

There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:

To avoid the security issues, at least one of the following methods should be taken:

1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.

2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-serialize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:51:00Z",
    "nvd_published_at": "2017-02-09T19:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Affected versions of `node-serialize` can be abused to execute arbitrary code via an [immediately invoked function expression](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) (IIFE) if untrusted user input is passed into `unserialize()`.\n\n\n## Recommendation\n\nThere is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:\n\n```\nTo avoid the security issues, at least one of the following methods should be taken:\n\n1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.\n\n2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.\n```",
  "id": "GHSA-q4v7-4rhw-9hqm",
  "modified": "2021-06-23T15:41:17Z",
  "published": "2018-07-18T18:27:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/luin/serialize/issues/4"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q4v7-4rhw-9hqm"
    },
    {
      "type": "WEB",
      "url": "https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/311"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code Execution through IIFE in node-serialize"
}

GHSA-Q4WH-GGFG-F2HJ

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.

The specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:16:10Z",
    "severity": "HIGH"
  },
  "details": "Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801.",
  "id": "GHSA-q4wh-ggfg-f2hj",
  "modified": "2024-05-03T03:31:06Z",
  "published": "2024-05-03T03:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50220"
    },
    {
      "type": "WEB",
      "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q565-26VC-VPX8

Vulnerability from github – Published: 2023-12-25 09:30 – Updated: 2024-09-09 21:31
VLAI
Details

An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-25T08:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.",
  "id": "GHSA-q565-26vc-vpx8",
  "modified": "2024-09-09T21:31:21Z",
  "published": "2023-12-25T09:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34268"
    },
    {
      "type": "WEB",
      "url": "https://www.rws.com/localization/products/trados-enterprise/worldserver"
    },
    {
      "type": "WEB",
      "url": "https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q597-GQV4-7V97

Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-07-10 18:32
VLAI
Details

A vulnerability was found in zmops ArgusDBM up to 0.1.0. It has been classified as critical. Affected is the function getDefaultClassLoader of the file CalculateAlarm.java of the component AviatorScript Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-271050 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-10T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in zmops ArgusDBM up to 0.1.0. It has been classified as critical. Affected is the function getDefaultClassLoader of the file CalculateAlarm.java of the component AviatorScript Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-271050 is the identifier assigned to this vulnerability.",
  "id": "GHSA-q597-gqv4-7v97",
  "modified": "2024-07-10T18:32:17Z",
  "published": "2024-07-10T18:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zmops/ArgusDBM/issues/64"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.271050"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.271050"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.367347"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q5C4-RQQ9-F524

Vulnerability from github – Published: 2021-12-14 00:01 – Updated: 2021-12-17 00:01
VLAI
Details

The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-13T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.",
  "id": "GHSA-q5c4-rqq9-f524",
  "modified": "2021-12-17T00:01:01Z",
  "published": "2021-12-14T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24857"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/518204d8-fbf5-4bfa-9db5-835f908f8d8e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q5HH-P536-9725

Vulnerability from github – Published: 2024-11-14 15:32 – Updated: 2024-11-14 15:32
VLAI
Details

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T14:15:17Z",
    "severity": "HIGH"
  },
  "details": "The Migration, Backup, Staging \u2013 WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the \u0027replace_row_data\u0027 and \u0027replace_serialize_data\u0027 functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.",
  "id": "GHSA-q5hh-p536-9725",
  "modified": "2024-11-14T15:32:16Z",
  "published": "2024-11-14T15:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10962"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1104"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1120"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3186082"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b4eba78-29f2-4357-ab3c-7bc3c20e0e75?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5HP-HPFF-J44C

Vulnerability from github – Published: 2025-01-15 00:30 – Updated: 2025-02-03 18:30
VLAI
Details

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-15T00:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.",
  "id": "GHSA-q5hp-hpff-j44c",
  "modified": "2025-02-03T18:30:39Z",
  "published": "2025-01-15T00:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57764"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVCZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5P3-M74J-G94P

Vulnerability from github – Published: 2022-05-17 00:22 – Updated: 2022-05-17 00:22
VLAI
Details

The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-23T04:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.",
  "id": "GHSA-q5p3-m74j-g94p",
  "modified": "2022-05-17T00:22:31Z",
  "published": "2022-05-17T00:22:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12796"
    },
    {
      "type": "WEB",
      "url": "https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html"
    },
    {
      "type": "WEB",
      "url": "https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291"
    },
    {
      "type": "WEB",
      "url": "https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5QQ-MVFM-J35X

Vulnerability from github – Published: 2026-01-09 21:12 – Updated: 2026-01-11 14:55
VLAI
Summary
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist
Details

Fickling's assessment

ctypes, importlib, runpy, code and multiprocessing were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1).

Original report

Summary

The unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks.

Details

In fickling/fickle.py lines 866-884, the unsafe_imports() method checks imported modules against a hardcoded tuple:

def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
    for node in self.properties.imports:
        if node.module in (
            "__builtin__", "__builtins__", "builtins", "os", "posix", "nt",
            "subprocess", "sys", "builtins", "socket", "pty", "marshal", "types",
        ):
            yield node

This list is incomplete. The following dangerous modules are NOT detected:

  • ctypes: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely
  • importlib: Can dynamically import any module at runtime
  • runpy: Can execute Python modules as scripts
  • code: Can compile and execute arbitrary Python code
  • multiprocessing: Can spawn processes with arbitrary code

Since ctypes is part of the Python standard library, it also bypasses the NonStandardImports analysis.

PoC

from fickling.fickle import Pickled
from fickling.analysis import check_safety, Severity

# Pickle that imports ctypes.pythonapi (allows arbitrary code execution)
# PROTO 4, GLOBAL 'ctypes pythonapi', STOP
payload = b'\x80\x04cctypes\npythonapi\n.'

pickled = Pickled.load(payload)
results = check_safety(pickled)

print(f"Severity: {results.severity.name}")
print(f"Is safe: {results.severity == Severity.LIKELY_SAFE}")

# Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged
# A truly malicious pickle using ctypes could execute arbitrary code

Impact

Security Bypass (Confidentiality, Integrity, Availability)

An attacker can craft a malicious pickle that: 1. Imports ctypes to gain arbitrary memory access 2. Uses ctypes.pythonapi or ctypes.CDLL to execute arbitrary code 3. Passes Fickling's safety analysis as "likely safe" 4. Executes malicious code when the victim loads the pickle after trusting Fickling's verdict

This undermines the core purpose of Fickling as a pickle safety scanner.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "fickling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22609"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T21:12:00Z",
    "nvd_published_at": "2026-01-10T02:15:50Z",
    "severity": "HIGH"
  },
  "details": "#Fickling\u0027s assessment\n\n`ctypes`, `importlib`, `runpy`, `code` and `multiprocessing` were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1). \n\n# Original report\n\n## Summary\n\nThe `unsafe_imports()` method in Fickling\u0027s static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling\u0027s primary static safety checks.\n\n## Details\n\nIn `fickling/fickle.py` lines 866-884, the `unsafe_imports()` method checks imported modules against a hardcoded tuple:\n\n```python\ndef unsafe_imports(self) -\u003e Iterator[ast.Import | ast.ImportFrom]:\n    for node in self.properties.imports:\n        if node.module in (\n            \"__builtin__\", \"__builtins__\", \"builtins\", \"os\", \"posix\", \"nt\",\n            \"subprocess\", \"sys\", \"builtins\", \"socket\", \"pty\", \"marshal\", \"types\",\n        ):\n            yield node\n```\n\nThis list is incomplete. The following dangerous modules are NOT detected:\n\n- **ctypes**: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely\n- **importlib**: Can dynamically import any module at runtime\n- **runpy**: Can execute Python modules as scripts\n- **code**: Can compile and execute arbitrary Python code\n- **multiprocessing**: Can spawn processes with arbitrary code\n\nSince `ctypes` is part of the Python standard library, it also bypasses the `NonStandardImports` analysis.\n\n## PoC\n\n```python\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety, Severity\n\n# Pickle that imports ctypes.pythonapi (allows arbitrary code execution)\n# PROTO 4, GLOBAL \u0027ctypes pythonapi\u0027, STOP\npayload = b\u0027\\x80\\x04cctypes\\npythonapi\\n.\u0027\n\npickled = Pickled.load(payload)\nresults = check_safety(pickled)\n\nprint(f\"Severity: {results.severity.name}\")\nprint(f\"Is safe: {results.severity == Severity.LIKELY_SAFE}\")\n\n# Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged\n# A truly malicious pickle using ctypes could execute arbitrary code\n```\n\n## Impact\n\n**Security Bypass (Confidentiality, Integrity, Availability)**\n\nAn attacker can craft a malicious pickle that:\n1. Imports `ctypes` to gain arbitrary memory access\n2. Uses `ctypes.pythonapi` or `ctypes.CDLL` to execute arbitrary code\n3. Passes Fickling\u0027s safety analysis as \"likely safe\"\n4. Executes malicious code when the victim loads the pickle after trusting Fickling\u0027s verdict\n\nThis undermines the core purpose of Fickling as a pickle safety scanner.",
  "id": "GHSA-q5qq-mvfm-j35x",
  "modified": "2026-01-11T14:55:13Z",
  "published": "2026-01-09T21:12:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22609"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/6b400e1a2525e6a4a076c97ccc0d4d9581317101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trailofbits/fickling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L88"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist"
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.