PYSEC-2026-2149

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/fickling/PYSEC-2026-2149.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2149
Aliases
Published
2026-07-04T14:16:28.400Z
Modified
2026-07-13T07:15:25.024533172Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's checksafety() function returns LIKELYSAFE with zero findings for pickle payloads that invoke dangerous functions including posixsubprocess.forkexec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit.runexitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains checksafety() into pickle.loads() as an explicit security gate; a LIKELYSAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

References

Affected packages

PyPI / fickling

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.11

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/fickling/PYSEC-2026-2149.yaml"