Home > Vulnerability Database > CVE-2025-67747

Mend.io Vulnerability Database

CVE-2025-67747

Good to know:

Date: December 15, 2025

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing "marshal" and "types" from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for "types.FunctionType" and "marshal.loads". A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.

Severity Score

7.8

Related Resources (7)

Url: https://github.com/trailofbits/fickling/pull/186

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-67747

Url: https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3

Url: https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913

Url: https://github.com/trailofbits/fickling

Url: https://github.com/trailofbits/fickling/releases/tag/v0.1.6

Url: https://www.mend.io/vulnerability-database/CVE-2025-67747

Severity Score

7.8

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Incomplete List of Disallowed Inputs

CWE-184

Top Fix

Upgrade Version

Upgrade to version fickling - 0.1.6;https://github.com/trailofbits/fickling.git - v0.1.6

Learn More

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-67747

Good to know:

Date: December 15, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?