PYSEC-2025-113

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/fickling/PYSEC-2025-113.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-113

Aliases

Published

2025-12-16T01:15:52.950Z

Modified

2026-05-20T09:19:00.310433Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn() being incorrectly flagged as LIKELY_SAFE, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.

References

Affected packages

PyPI / fickling

Package

Name: fickling; View open source insights on deps.dev
Purl: pkg:pypi/fickling

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.6

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.1.2

0.1.3

0.1.4

0.1.5

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/fickling/PYSEC-2025-113.yaml"