CVE-2025-67748: Fickling has Code Injection vulnerability via pty.spawn()

December 15, 2025 (updated December 20, 2025)

An unsafe deserialization vulnerability in Fickling allows a crafted pickle file to bypass the “unused variable” heuristic, enabling arbitrary code execution. This bypass is achieved by adding a trivial operation to the pickle file that “uses” the otherwise unused variable left on the stack after a malicious operation, tricking the detection mechanism into classifying the file as safe.

References

github.com/advisories/GHSA-r7v6-mfhq-g3m2
github.com/trailofbits/fickling
github.com/trailofbits/fickling/pull/108
github.com/trailofbits/fickling/pull/187
github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2
nvd.nist.gov/vuln/detail/CVE-2025-67748

Code Behaviors & Features

Detect and mitigate CVE-2025-67748 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →