CVE-2025-67748

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67748

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67748.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67748

Aliases

GHSA-r7v6-mfhq-g3m2

Published

2025-12-16T00:39:13.968Z

Modified

2026-01-04T05:42:11.975999Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Fickling has Code Injection vulnerability via pty.spawn()

Details

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn() being incorrectly flagged as LIKELY_SAFE, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67748.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-184",
        "CWE-502",
        "CWE-94"
    ]
}

References

Affected packages

Git / github.com/trailofbits/fickling

Affected ranges

Type: GIT
Repo: https://github.com/trailofbits/fickling
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8249522c7180c69436516ff81bff394f62298c0c

Affected versions

Other

master

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67748.json"