Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67748

CVE-2025-67748: Trailofbits Fickling Auth Bypass Flaw

CVE-2025-67748 is an authentication bypass flaw in Trailofbits Fickling that allows unsafe pickles to be incorrectly flagged as safe due to missing pty module restrictions. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-67748 Overview

CVE-2025-67748 affects Fickling, a Python pickling decompiler and static analyzer maintained by Trail of Bits. Versions prior to 0.1.6 contained a gap in the block list of unsafe module imports: the pty module was missing. As a result, malicious pickle files using pty.spawn() as their payload were incorrectly classified as LIKELY_SAFE. Any user or automated pipeline relying on Fickling to vet pickle files for security issues could be tricked into trusting a file that executes arbitrary commands when loaded. The issue is tracked under [CWE-94] Improper Control of Generation of Code.

Critical Impact

A static analyzer bypass allowed attacker-controlled pickle files invoking pty.spawn() to be labeled LIKELY_SAFE, enabling code execution when the pickle is later deserialized.

Affected Products

  • Trail of Bits Fickling versions prior to 0.1.6
  • Python environments and ML pipelines using Fickling to scan pickle files
  • Automated CI/CD security gates relying on Fickling classifications

Discovery Timeline

  • 2025-12-16 - CVE-2025-67748 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-67748

Vulnerability Analysis

Fickling statically analyzes Python pickle streams and flags references to dangerous modules and callables. The analyzer maintains a block list of unsafe imports such as os, subprocess, and builtins. In versions prior to 0.1.6, the pty standard-library module was absent from this list. The pty module exposes pty.spawn(), which executes an arbitrary command in a pseudo-terminal. A pickle file containing a GLOBAL opcode resolving pty.spawn followed by a REDUCE opcode with attacker-supplied arguments triggers command execution on pickle.load(). Because pty was not on the block list, Fickling returned a LIKELY_SAFE verdict for such files.

Root Cause

The root cause is an incomplete deny list. Fickling enumerated known dangerous modules but omitted pty, which transitively reaches os.execlp through pty.spawn(). The fix in pull request #187 adds pty to the unsafe import set, aligning the static check with the actual execution surface of the Python standard library.

Attack Vector

Exploitation requires a victim to load an attacker-supplied pickle file after Fickling has scanned and approved it. The attack vector is local: the target must process the file with pickle.load() or an equivalent deserializer. User interaction is required, typically in the form of loading a model file, dataset, or serialized object from an untrusted source such as a model hub or shared artifact repository.

The vulnerable pickle stream embeds a GLOBAL opcode that imports pty.spawn, followed by a tuple of arguments and a REDUCE opcode. When deserialized, Python resolves the import and invokes pty.spawn() with the attacker's command list, spawning a shell or arbitrary process under the victim's privileges. See the GitHub Security Advisory GHSA-r7v6-mfhq-g3m2 for additional context.

Detection Methods for CVE-2025-67748

Indicators of Compromise

  • Pickle files containing a GLOBAL opcode referencing pty or pty.spawn followed by a REDUCE opcode
  • Unexpected child processes such as sh, bash, or /bin/sh spawned by Python interpreters that loaded a pickle
  • Fickling scan reports issued by versions earlier than 0.1.6 returning LIKELY_SAFE for files now flagged by 0.1.6+
  • Outbound network connections initiated by Python processes shortly after deserializing a model or artifact

Detection Strategies

  • Re-scan all previously vetted pickle artifacts with Fickling 0.1.6 or later and compare verdicts against historical results
  • Hunt for process trees where python or python3 is the parent of an interactive shell on systems that consume pickle files
  • Inspect pickle bytecode with pickletools.dis() for any reference to pty and quarantine matches

Monitoring Recommendations

  • Log and alert on Python processes invoking pty.spawn or executing shells in production model-serving environments
  • Track Fickling versions deployed across build agents, MLOps pipelines, and developer workstations
  • Monitor model registries and artifact stores for newly uploaded pickle files and trigger re-scanning on each ingest

How to Mitigate CVE-2025-67748

Immediate Actions Required

  • Upgrade Fickling to version 0.1.6 or later in every environment where pickle files are vetted
  • Re-run Fickling scans across all stored pickle files and rebuild trust decisions on the new verdicts
  • Treat any prior LIKELY_SAFE classification from an earlier Fickling version as unverified until rescanned

Patch Information

The fix is delivered in Fickling 0.1.6. Pull request #187 adds pty to the unsafe module block list, and earlier hardening landed in pull request #108. Full details are documented in GHSA-r7v6-mfhq-g3m2.

Workarounds

  • Avoid loading pickle files from untrusted sources regardless of static-analysis verdicts
  • Prefer safer serialization formats such as safetensors, JSON, or Protocol Buffers for model and data exchange
  • Execute pickle deserialization inside sandboxed or containerized processes with no network and minimal filesystem privileges
  • Add a custom deny rule for pty imports in any wrapper code that ships pinned versions of Fickling below 0.1.6
bash
# Upgrade Fickling to the patched version
pip install --upgrade 'fickling>=0.1.6'

# Verify the installed version
python -c "import fickling, sys; print(fickling.__version__)"

# Re-scan a pickle artifact with the patched analyzer
fickling --check-safety suspicious_model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.