{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22607", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.534Z", "datePublished": "2026-01-10T01:35:04.920Z", "dateUpdated": "2026-01-13T21:49:38.169Z"}, "containers": {"cna": {"title": "Fickling Blocklist Bypass: cProfile.run()", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"}, {"name": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43", "tags": ["x_refsource_MISC"], "url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43"}, {"name": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"}], "affected": [{"vendor": "trailofbits", "product": "fickling", "versions": [{"version": "< 0.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:35:04.920Z"}, "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}], "source": {"advisory": "GHSA-p523-jq9w-64x9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T21:49:35.602436Z", "id": "CVE-2026-22607", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:49:38.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22607", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T21:49:35.602436Z"}}}], "references": [{"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:49:27.585Z"}}], "cna": {"title": "Fickling Blocklist Bypass: cProfile.run()", "source": {"advisory": "GHSA-p523-jq9w-64x9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "trailofbits", "product": "fickling", "versions": [{"status": "affected", "version": "< 0.1.7"}]}], "references": [{"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "name": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43", "name": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "name": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:35:04.920Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22607", "state": "PUBLISHED", "dateUpdated": "2026-01-13T21:49:38.169Z", "dateReserved": "2026-01-07T21:50:39.534Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T01:35:04.920Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E86A331-3CDE-4B67-AE0E-690AF652E670", "versionEndExcluding": "0.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}], "id": "CVE-2026-22607", "lastModified": "2026-01-16T18:58:22.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T02:15:49.780", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:33:59.199188+00:00", "value": {"mitigation_remediation": ["Upgrade to Fickling version 0.1.7 or later to apply the official patch.", "If Fickling is used as an input filter for pickle deserialization, remove that dependency or treat all pickle input as untrusted until an independent safety check is performed.", "Apply additional validation when deserializing pickles, such as restricting the allowed classes or using a safe deserialization library, to prevent accidental execution of malicious payloads."], "summary": {"action": "Patch Now", "impact": "Code Execution via Deserialization"}, "threat_synthesis": {"affected_systems": "The affected product is Fickling by Trail of Bits. Versions up to and including 0.1.6 are vulnerable. Affected deployments include any environment where Fickling is used to pre\u2011screen or analyze pickles before deserialization.", "description_and_impact": "This vulnerability occurs because older versions of the Fickling utility do not flag Python's cProfile.run() as unsafe. As a result, a malicious pickle that uses cProfile.run() is mistakenly classified as SUSPICIOUS rather than OVERTLY_MALICIOUS. If an organization relies on Fickling as a gatekeeper before deserializing pickles, this misclassification can trick users into accepting unsafe payloads, enabling the attacker to execute arbitrary code on the target system.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.9, indicating a high severity impact. The EPSS score is below 1%, suggesting low current exploit probability, and it is not listed in the CISA KEV catalog. However, if an attacker can supply a malicious pickle to an environment that trusts Fickling\u2019s output, they can trigger the embedded cProfile.run() call and gain remote code execution capability. The likely attack vector involves delivering a crafted pickle through user\u2011controlled input or insecure communication channels that are processed by Fickling."}}}}, "created": "2026-01-12T14:36:41.214946+00:00", "updated": "2026-04-18T16:45:05.217714+00:00", "vendors": ["trailofbits", "trailofbits$PRODUCT$fickling"]}