CVE-2026-14535 PUBLISHED

Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()

Assigner: BombadilSystems
Reserved: 03.07.2026 Published: 04.07.2026 Updated: 04.07.2026

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor trailofbits
Product fickling
Versions Default: unaffected
  • affected from 0 to 0.1.11 (incl.)
  • Version 0.1.12 is unaffected

Credits

  • Christopher Aziz (Bombadil Systems LLC) finder

References

Problem Types

  • CWE-693 Protection Mechanism Failure CWE

Impacts

  • An attacker can craft a malicious pickle file that imports any standard library module not in fickling's UNSAFE_IMPORTS denylist. Because the MLAllowlist check is silently skipped due to shared state pollution from UnsafeImportsML, fickling's check_safety() returns LIKELY_SAFE. When used with fickling.load(), the payload is deserialized and arbitrary code executes in the victim's environment. This is distinct from denylist incompleteness (CWE-184) because the allowlist mechanism was specifically designed to catch imports that the denylist misses, and a code defect renders it entirely inoperative.