CVE-2025-67748
HIGH WAF: Medium
CVSS 7.8
Published: 2025-12-16
CWE-94 CWE-502
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| trailofbits | fickling | up to 0.1.6 |
References
- github.com (Issue Tracking, Patch)
- github.com (Issue Tracking, Patch)
- github.com (Exploit, Vendor Advisory)