fickling@0.0.1 vulnerabilities

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the UNSAFE_IMPORTS list. An attacker can execute arbitrary system commands by crafting a malicious pickle file that imports certain standard library modules containing functions which invoke system commands with attacker-controlled arguments.

Upgrade fickling to version 0.1.9 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the is_likely_safe(), check_safety(), --check-safety, always_check_safety() and check_safety() interfaces. An attacker can execute arbitrary code, open network connections, create files, or establish backdoor listeners by crafting malicious pickle files that exploit the bypass in the safety checks.

Upgrade fickling to version 0.1.8 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Interpretation Conflict via the OBJ opcode handling logic. An attacker can evade safety checks by triggering a code path where OBJ pushes an ast.Call onto the interpreter stack without persisting it to the AST via new_variable(). An attacker can execute arbitrary code, open network connections, create files, or establish backdoor listeners by crafting malicious pickle files that bypass all safety checks.

Upgrade fickling to version 0.1.8 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the check_safety function. An attacker can trigger outbound TCP connections during deserialization by crafting malicious pickle files that exploit stdlib network-protocol constructors. This allows the attacker to receive network callbacks, exfiltrate host information, probe internal services, or establish covert channels bypassing safety checks.

Upgrade fickling to version 0.1.8 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the runpy module. An attacker can execute arbitrary code by supplying a malicious pickle file that uses runpy.run_path or runpy.run_module to run attacker-controlled scripts during deserialization. The resulting file is classified as SUSPICIOUS and may therefore be assumed safe and executed.

Upgrade fickling to version 0.1.7 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unsafe_imports function. An attacker can execute arbitrary code by supplying a malicious pickle that imports dangerous modules not detected by the static analyzer, which then passes the safety checks and is loaded by the victim.

Upgrade fickling to version 0.1.7 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can execute arbitrary code by supplying a malicious pickle payload that uses the pydoc and ctypes modules to bypass detection mechanisms. Once classified as LIKELY_SAFE, the resulting file may be loaded and presumed safe.

Upgrade fickling to version 0.1.7 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the cProfile.run process. An attacker can execute arbitrary code by supplying a malicious pickle file that bypasses checks and gets classified as SUSPICIOUS. This may cause it to be treated as safe and executed.

Upgrade fickling to version 0.1.7 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the analysis of pickle files, where import nodes for certain modules such as builtins are not emitted in the abstract syntax tree, resulting in the security analysis being unable to detect dangerous imports. An attacker can execute arbitrary code by including dangerous functions from builtins, such as __import__, which will be executed when the malicious file is loaded under the assumption that it is safe because it is tagged LIKELY_SAFE.

Upgrade fickling to version 0.1.7 or higher.

fickling is an A static analyzer and interpreter for Python pickle data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to incomplete detection of dangerous pickle constructs. The safety analysis fails to block certain unsafe module imports, allowing malicious pickle files that invoke functions such as pty.spawn() to bypass heuristic checks. An attacker can craft a pickle that manipulates stack usage to evade the unused-variable heuristic and execute arbitrary code when the pickle is analyzed or processed.

Upgrade fickling to version 0.1.6 or higher.