CVE-2025-67748 describes an arbitrary code execution vulnerability discovered in Fickling, a Python library. This flaw allows a malicious pickle file to bypass a safety heuristic, leading to potentially unrestricted code execution within the application. The vulnerability affects versions of Fickling up to 0.1.5, and a fix is available in version 0.1.6.
检测此 CVE 是否影响你的项目
上传你的 requirements.txt 文件,立即知道是否受影响。
影响与攻击场景翻译中…
An attacker can exploit this vulnerability by providing a specially crafted pickle file to a system utilizing Fickling. The bypass of the heuristic allows the attacker to execute arbitrary code with the privileges of the running process. This could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly severe if Fickling is used in a security-sensitive context, such as deserializing data from untrusted sources. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, modifying system configurations, and gaining persistent access.
利用背景翻译中…
This vulnerability was publicly disclosed on December 15, 2025. No known active exploitation campaigns have been reported at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code may become available, increasing the risk of exploitation.
哪些人处于风险中翻译中…
Applications and systems that utilize Fickling to deserialize data from untrusted sources are at risk. This includes systems that process data from external APIs, user uploads, or other potentially malicious sources. Specifically, Python environments where Fickling is a dependency and where pickle deserialization is performed without proper validation are vulnerable.
检测步骤翻译中…
• python / library:
import pickle
import sys
def check_fickling_version():
import fickling
return fickling.__version__
if check_fickling_version() <= '0.1.5':
print("Vulnerability detected: Fickling version is vulnerable.")
else:
print("Fickling version is patched.")攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2025-67748 is to upgrade Fickling to version 0.1.6 or later, which includes the necessary fix for the unsafe module import restriction. If upgrading is not immediately feasible, consider restricting the sources of pickle files processed by Fickling to only trusted origins. Implement input validation to ensure that pickle files are not accepted from untrusted sources. While not a direct fix, using a sandboxed environment to execute Fickling can limit the potential impact of a successful exploit. After upgrading, verify the fix by attempting to deserialize a known malicious pickle file – it should now be rejected.
修复方法翻译中…
Actualice la biblioteca Fickling a la versión 0.1.6 o superior. Esto corrige la vulnerabilidad de inyección de código causada por la falta de `pty` en la lista de bloqueo de importaciones de módulos no seguros. La actualización asegura que los archivos pickle inseguros basados en `pty.spawn()` se marquen correctamente como inseguros.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2025-67748 — Arbitrary Code Execution in Fickling?
CVE-2025-67748 is a vulnerability in Fickling versions 0.1.5 and earlier that allows a crafted pickle file to bypass a safety heuristic, leading to arbitrary code execution.
Am I affected by CVE-2025-67748 in Fickling?
You are affected if you are using Fickling version 0.1.5 or earlier and deserialize pickle files from untrusted sources.
How do I fix CVE-2025-67748 in Fickling?
Upgrade Fickling to version 0.1.6 or later. Restrict pickle file sources to trusted origins and implement input validation.
Is CVE-2025-67748 being actively exploited?
No active exploitation campaigns have been reported at this time, but the risk increases with public proof-of-concept code.
Where can I find the official Fickling advisory for CVE-2025-67748?
Refer to the Fickling GitHub repository for updates and advisories: https://github.com/trailofbits/fickling