← Back to Vulnerability Database
GHSA-wccx-j62j-r448
CRITICALCVSS 9.5Published: Mar 4, 2026Verified by: gemini-3.1-flash-lite-preview
Description
Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked
How AI Introduced This
The library failed to hook all deserialization entry points (specifically pickle.loads and _pickle.loads), allowing attackers to bypass safety checks by using these unhooked functions.
Causality Analysis
✓
CONFIRMED — 8714627126fd
- Vulnerability
- Incomplete security hook / Bypass
- Root Cause
- The library failed to hook all deserialization entry points (specifically pickle.loads and _pickle.loads), allowing attackers to bypass safety checks by using these unhooked functions.
- Pattern
hooking only pickle.load while leaving pickle.loads and _pickle.loads unmonitored- Causal Chain
- The commit implemented `run_hook()` with an incomplete set of monkey-patches, specifically omitting `pickle.loads` and `_pickle.loads`, which allowed users calling the standard `run_hook()` to remain vulnerable to deserialization attacks via those unmonitored functions.
- Reasoning
- The blamed commit introduced the `run_hook()` function which only hooked `pickle.load` while failing to hook `pickle.loads` and `_pickle.loads`. Although the commit included `always_check_safety()` which did hook those functions, the primary `run_hook()` entry point remained incomplete, creating the bypass vulnerability.
Verified by gemini-3.1-flash-lite-preview
AI Signal Details
AI Signals in 8714627
Claude CodeCo-author trailer
Co-Authored-By: Claude <noreply@anthropic.com>95%Bug-Introducing Commits(1)
8714627AI
Fix PyTorch v1.3+ hook bypass by hooking pickle.Unpickler class
Lucas BourtouleNov 26, 2025fickling/hook.pyBlame: 90%