CVE-2025-67748: Fickling has Code Injection vulnerability via pty.spawn()
(updated )
An unsafe deserialization vulnerability in Fickling allows a crafted pickle file to bypass the “unused variable” heuristic, enabling arbitrary code execution. This bypass is achieved by adding a trivial operation to the pickle file that “uses” the otherwise unused variable left on the stack after a malicious operation, tricking the detection mechanism into classifying the file as safe.
References
- github.com/advisories/GHSA-r7v6-mfhq-g3m2
- github.com/pypa/advisory-database/tree/main/vulns/fickling/PYSEC-2025-113.yaml
- github.com/trailofbits/fickling/pull/108
- github.com/trailofbits/fickling/pull/187
- github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2
- nvd.nist.gov/vuln/detail/CVE-2025-67748
Code Behaviors & Features
Detect and mitigate CVE-2025-67748 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →