GHSA-5hwf-rc88-82xm: Fickling missing RCE-capable modules in UNSAFE_IMPORTS
Summary
Fickling, a security tool that checks if pickle files (serialized Python objects) are safe, was missing three standard library modules from its blocklist of dangerous imports: `uuid`, `_osx_support`, and `_aix_support`. These modules contain functions that can execute arbitrary commands on a system, and malicious pickle files using them could bypass Fickling's safety checks and run attacker-controlled code.
Solution / Mitigation
The modules `uuid`, `_osx_support` and `_aix_support` were added to the blocklist of unsafe imports (via commit ffac3479dbb97a7a1592d85991888562d34dd05b). This fix is available in versions after fickling 0.1.8.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-5hwf-rc88-82xm
First tracked: March 4, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 92%