CVE Catalog

CVE-2026-14535

HighCVSS 8.8
Published: Translated: NVD NIST

Summary

In fickling up to version 0.1.11, the UnsafeImportsML analysis pass stores shortened import representations in a shared set, causing the MLAllowlist pass to skip all checks as already reported. This renders MLAllowlist ineffective, allowing imports of modules outside the allowlist to be considered safe.

Risk Assessment

The organization is at risk of malicious pickle deserialization that can execute arbitrary code, as fickling.load() trusts the false LIKELY_SAFE verdict. An attacker can exploit standard Python library modules not on the blocklist to compromise the system.

Recommendation

Immediately update fickling to version 0.1.12 or later, which fixes this vulnerability. If an update is not possible, temporarily disable fickling.load() and replace it with a custom secure pickle deserialization implementation.

Original NVD description (English source)

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS