What happened
A logic error in Trail of Bits' fickling — a widely-used static analysis tool for detecting malicious pickle-based ML model files — causes its core protection (MLAllowlist) to become inert, letting crafted malicious pickle payloads pass its safety check and execute arbitrary code upon deserialization. Published to NVD July 4, 2026, CVSS 8.8 (High).
Why it matters
fickling is a de-facto standard scanning tool used across the ML ecosystem (including Hugging Face Hub tooling) to vet untrusted pickle-serialized models before loading. A security tool whose core check silently fails open means any pipeline gating model loads on fickling's verdict could unknowingly execute attacker-controlled code from a poisoned model file — directly undermining ML supply-chain trust at scale.
Attack vector
The UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, populating a shared 'reported_shortened_code' set as a side effect. This causes the subsequent MLAllowlist pass to skip its allowlist checks entirely, becoming dead code. As a result, any module outside the UNSAFE_IMPORTS denylist (including non-ML standard-library modules capable of arbitrary code execution) can be smuggled through fickling.check_safety() and will be reported LIKELY_SAFE, then executed via pickle.loads() by any application that trusts fickling's verdict.
Affected systems
Trail of Bits fickling ≤ 0.1.11 (fixed in 0.1.12)
Mitigation
Upgrade to fickling 0.1.12 or later, which fixes the logic error restoring MLAllowlist enforcement. Do not rely solely on fickling's safety verdict for untrusted pickle files — combine with sandboxing or safetensors-format migration.