CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4802 vulnerabilities reference this CWE, most recent first.
GHSA-Q4RF-3FHX-88PF
Vulnerability from github – Published: 2021-09-01 18:27 – Updated: 2021-08-30 22:03Impact
An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.
The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
adminlevel access to thesystemresource type
The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
createupdateoradminlevel access to aproject_aclresourcecreateupdateoradminlevel access to thesystem_aclresource
The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.
Patches
Versions 3.4.3, 3.3.14
Workarounds
Please visit https://rundeck.com/security for information about specific workarounds.
For more information
If you have any questions or comments about this advisory: * Email us at security@rundeck.com
To report security issues to Rundeck please use the form at https://rundeck.com/security
Reporter: Rojan Rijal from Tinder Red Team
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.rundeck:rundeck-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.rundeck:rundeck-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39132"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-30T22:03:16Z",
"nvd_published_at": "2021-08-30T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAn authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.\n\nThe zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:\n\n* `admin` level access to the `system` resource type\n\nThe ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: \n\n* `create` `update` or `admin` level access to a `project_acl` resource\n* `create` `update` or `admin` level access to the `system_acl` resource\n\nThe unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.\n\n### Patches\nVersions 3.4.3, 3.3.14\n\n### Workarounds\n\nPlease visit [https://rundeck.com/security](https://rundeck.com/security) for information about specific workarounds.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@rundeck.com](mailto:security@rundeck.com)\n\nTo report security issues to Rundeck please use the form at [https://rundeck.com/security](https://rundeck.com/security)\n\nReporter: Rojan Rijal from Tinder Red Team",
"id": "GHSA-q4rf-3fhx-88pf",
"modified": "2021-08-30T22:03:16Z",
"published": "2021-09-01T18:27:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-q4rf-3fhx-88pf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39132"
},
{
"type": "WEB",
"url": "https://github.com/rundeck/rundeck/commit/850d12e21d22833bc148b7f458d7cb5949f829b6"
},
{
"type": "PACKAGE",
"url": "https://github.com/rundeck/rundeck"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "YAML deserialization can run untrusted code"
}
GHSA-Q4V7-4RHW-9HQM
Vulnerability from github – Published: 2018-07-18 18:27 – Updated: 2021-06-23 15:41Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression (IIFE) if untrusted user input is passed into unserialize().
Recommendation
There is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:
To avoid the security issues, at least one of the following methods should be taken:
1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.
2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-serialize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-5941"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:51:00Z",
"nvd_published_at": "2017-02-09T19:59:00Z",
"severity": "CRITICAL"
},
"details": "Affected versions of `node-serialize` can be abused to execute arbitrary code via an [immediately invoked function expression](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) (IIFE) if untrusted user input is passed into `unserialize()`.\n\n\n## Recommendation\n\nThere is no direct patch for this issue. The package author has reviewed this advisory, and provided the following recommendation:\n\n```\nTo avoid the security issues, at least one of the following methods should be taken:\n\n1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.\n\n2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.\n```",
"id": "GHSA-q4v7-4rhw-9hqm",
"modified": "2021-06-23T15:41:17Z",
"published": "2018-07-18T18:27:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5941"
},
{
"type": "WEB",
"url": "https://github.com/luin/serialize/issues/4"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-q4v7-4rhw-9hqm"
},
{
"type": "WEB",
"url": "https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/311"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/161356/Node.JS-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163222/Node.JS-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Code Execution through IIFE in node-serialize"
}
GHSA-Q4WH-GGFG-F2HJ
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.
The specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801.
{
"affected": [],
"aliases": [
"CVE-2023-50220"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:16:10Z",
"severity": "HIGH"
},
"details": "Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801.",
"id": "GHSA-q4wh-ggfg-f2hj",
"modified": "2024-05-03T03:31:06Z",
"published": "2024-05-03T03:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50220"
},
{
"type": "WEB",
"url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q565-26VC-VPX8
Vulnerability from github – Published: 2023-12-25 09:30 – Updated: 2024-09-09 21:31An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.
{
"affected": [],
"aliases": [
"CVE-2022-34268"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-25T08:15:07Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.",
"id": "GHSA-q565-26vc-vpx8",
"modified": "2024-09-09T21:31:21Z",
"published": "2023-12-25T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34268"
},
{
"type": "WEB",
"url": "https://www.rws.com/localization/products/trados-enterprise/worldserver"
},
{
"type": "WEB",
"url": "https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q597-GQV4-7V97
Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-07-10 18:32A vulnerability was found in zmops ArgusDBM up to 0.1.0. It has been classified as critical. Affected is the function getDefaultClassLoader of the file CalculateAlarm.java of the component AviatorScript Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-271050 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-6644"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T17:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in zmops ArgusDBM up to 0.1.0. It has been classified as critical. Affected is the function getDefaultClassLoader of the file CalculateAlarm.java of the component AviatorScript Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-271050 is the identifier assigned to this vulnerability.",
"id": "GHSA-q597-gqv4-7v97",
"modified": "2024-07-10T18:32:17Z",
"published": "2024-07-10T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6644"
},
{
"type": "WEB",
"url": "https://github.com/zmops/ArgusDBM/issues/64"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.271050"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.271050"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.367347"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q5C4-RQQ9-F524
Vulnerability from github – Published: 2021-12-14 00:01 – Updated: 2021-12-17 00:01The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.
{
"affected": [],
"aliases": [
"CVE-2021-24857"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-13T11:15:00Z",
"severity": "CRITICAL"
},
"details": "The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.",
"id": "GHSA-q5c4-rqq9-f524",
"modified": "2021-12-17T00:01:01Z",
"published": "2021-12-14T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24857"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/518204d8-fbf5-4bfa-9db5-835f908f8d8e"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q5HH-P536-9725
Vulnerability from github – Published: 2024-11-14 15:32 – Updated: 2024-11-14 15:32The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.
{
"affected": [],
"aliases": [
"CVE-2024-10962"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T14:15:17Z",
"severity": "HIGH"
},
"details": "The Migration, Backup, Staging \u2013 WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the \u0027replace_row_data\u0027 and \u0027replace_serialize_data\u0027 functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.",
"id": "GHSA-q5hh-p536-9725",
"modified": "2024-11-14T15:32:16Z",
"published": "2024-11-14T15:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10962"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1104"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1120"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3186082"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b4eba78-29f2-4357-ab3c-7bc3c20e0e75?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5HP-HPFF-J44C
Vulnerability from github – Published: 2025-01-15 00:30 – Updated: 2025-02-03 18:30MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.
{
"affected": [],
"aliases": [
"CVE-2024-57764"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T00:15:34Z",
"severity": "CRITICAL"
},
"details": "MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.",
"id": "GHSA-q5hp-hpff-j44c",
"modified": "2025-02-03T18:30:39Z",
"published": "2025-01-15T00:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57764"
},
{
"type": "WEB",
"url": "https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVCZ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5P3-M74J-G94P
Vulnerability from github – Published: 2022-05-17 00:22 – Updated: 2022-05-17 00:22The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.
{
"affected": [],
"aliases": [
"CVE-2017-12796"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-23T04:29:00Z",
"severity": "CRITICAL"
},
"details": "The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.",
"id": "GHSA-q5p3-m74j-g94p",
"modified": "2022-05-17T00:22:31Z",
"published": "2022-05-17T00:22:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12796"
},
{
"type": "WEB",
"url": "https://isears.github.io/jekyll/update/2017/10/21/openmrs-rce.html"
},
{
"type": "WEB",
"url": "https://talk.openmrs.org/t/critical-security-advisory-2017-09-12/13291"
},
{
"type": "WEB",
"url": "https://wiki.openmrs.org/display/RES/Release+Notes+2.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5QQ-MVFM-J35X
Vulnerability from github – Published: 2026-01-09 21:12 – Updated: 2026-01-11 14:55Fickling's assessment
ctypes, importlib, runpy, code and multiprocessing were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1).
Original report
Summary
The unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks.
Details
In fickling/fickle.py lines 866-884, the unsafe_imports() method checks imported modules against a hardcoded tuple:
def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
for node in self.properties.imports:
if node.module in (
"__builtin__", "__builtins__", "builtins", "os", "posix", "nt",
"subprocess", "sys", "builtins", "socket", "pty", "marshal", "types",
):
yield node
This list is incomplete. The following dangerous modules are NOT detected:
- ctypes: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely
- importlib: Can dynamically import any module at runtime
- runpy: Can execute Python modules as scripts
- code: Can compile and execute arbitrary Python code
- multiprocessing: Can spawn processes with arbitrary code
Since ctypes is part of the Python standard library, it also bypasses the NonStandardImports analysis.
PoC
from fickling.fickle import Pickled
from fickling.analysis import check_safety, Severity
# Pickle that imports ctypes.pythonapi (allows arbitrary code execution)
# PROTO 4, GLOBAL 'ctypes pythonapi', STOP
payload = b'\x80\x04cctypes\npythonapi\n.'
pickled = Pickled.load(payload)
results = check_safety(pickled)
print(f"Severity: {results.severity.name}")
print(f"Is safe: {results.severity == Severity.LIKELY_SAFE}")
# Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged
# A truly malicious pickle using ctypes could execute arbitrary code
Impact
Security Bypass (Confidentiality, Integrity, Availability)
An attacker can craft a malicious pickle that:
1. Imports ctypes to gain arbitrary memory access
2. Uses ctypes.pythonapi or ctypes.CDLL to execute arbitrary code
3. Passes Fickling's safety analysis as "likely safe"
4. Executes malicious code when the victim loads the pickle after trusting Fickling's verdict
This undermines the core purpose of Fickling as a pickle safety scanner.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.6"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22609"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-09T21:12:00Z",
"nvd_published_at": "2026-01-10T02:15:50Z",
"severity": "HIGH"
},
"details": "#Fickling\u0027s assessment\n\n`ctypes`, `importlib`, `runpy`, `code` and `multiprocessing` were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1). \n\n# Original report\n\n## Summary\n\nThe `unsafe_imports()` method in Fickling\u0027s static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling\u0027s primary static safety checks.\n\n## Details\n\nIn `fickling/fickle.py` lines 866-884, the `unsafe_imports()` method checks imported modules against a hardcoded tuple:\n\n```python\ndef unsafe_imports(self) -\u003e Iterator[ast.Import | ast.ImportFrom]:\n for node in self.properties.imports:\n if node.module in (\n \"__builtin__\", \"__builtins__\", \"builtins\", \"os\", \"posix\", \"nt\",\n \"subprocess\", \"sys\", \"builtins\", \"socket\", \"pty\", \"marshal\", \"types\",\n ):\n yield node\n```\n\nThis list is incomplete. The following dangerous modules are NOT detected:\n\n- **ctypes**: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely\n- **importlib**: Can dynamically import any module at runtime\n- **runpy**: Can execute Python modules as scripts\n- **code**: Can compile and execute arbitrary Python code\n- **multiprocessing**: Can spawn processes with arbitrary code\n\nSince `ctypes` is part of the Python standard library, it also bypasses the `NonStandardImports` analysis.\n\n## PoC\n\n```python\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety, Severity\n\n# Pickle that imports ctypes.pythonapi (allows arbitrary code execution)\n# PROTO 4, GLOBAL \u0027ctypes pythonapi\u0027, STOP\npayload = b\u0027\\x80\\x04cctypes\\npythonapi\\n.\u0027\n\npickled = Pickled.load(payload)\nresults = check_safety(pickled)\n\nprint(f\"Severity: {results.severity.name}\")\nprint(f\"Is safe: {results.severity == Severity.LIKELY_SAFE}\")\n\n# Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged\n# A truly malicious pickle using ctypes could execute arbitrary code\n```\n\n## Impact\n\n**Security Bypass (Confidentiality, Integrity, Availability)**\n\nAn attacker can craft a malicious pickle that:\n1. Imports `ctypes` to gain arbitrary memory access\n2. Uses `ctypes.pythonapi` or `ctypes.CDLL` to execute arbitrary code\n3. Passes Fickling\u0027s safety analysis as \"likely safe\"\n4. Executes malicious code when the victim loads the pickle after trusting Fickling\u0027s verdict\n\nThis undermines the core purpose of Fickling as a pickle safety scanner.",
"id": "GHSA-q5qq-mvfm-j35x",
"modified": "2026-01-11T14:55:13Z",
"published": "2026-01-09T21:12:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22609"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/6b400e1a2525e6a4a076c97ccc0d4d9581317101"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L88"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.