UnsafeImports Issue in Trail of Bits Fickling up to Version 0.1.11
CVE-2026-14535
8.8HIGH
What is CVE-2026-14535?
The Fickling library by Trail of Bits suffers from a flaw in the UnsafeImportsML analysis pass, which indiscriminately processes every import node without verifying if it is marked as unsafe. This unchecked behavior leads to the MLAllowlist analysis bypassing its crucial checks, thus failing to determine if an import is from a trusted source or not. Consequently, standard library modules outside the denylist can be deserialized and executed without proper safety checks, compromising the integrity of the application. This vulnerability emphasizes the importance of correctly managing shared mutable states across analysis passes to maintain effective security measures.
Affected Version(s)
fickling 0 <= 0.1.11
fickling 0.1.12
