Denial of Service via Infinite Recursion on Cyclic Pickles #196
Description
Initially reported privately by @mldangelo.
Summary
A maliciously crafted pickle file containing cyclic references triggers infinite recursion during Fickling's AST analysis. This causes a RecursionError and crashes the process, allowing an attacker to deny service to any system using Fickling for file scanning.
Details
The vulnerability exists in how Fickling traverses the Abstract Syntax Tree (AST) generated from pickle opcodes. The ASTProperties visitor in fickling/fickle.py:401 recursively traverses this AST without tracking visited nodes or enforcing a recursion depth limit.
Fickling's Interpreter accurately reconstructs cyclic data structures (e.g., a list that contains itself) into a cyclic AST using the MEMOIZE and GET opcodes. When check_safety() is called, the visitor enters infinite recursion until Python's recursion limit is reached.
The crash occurs at fickling/fickle.py:835:
self._properties.visit(self.ast)PoC
from fickling.fickle import Pickled
from fickling.analysis import check_safety
# Opcode sequence: PROTO 2, EMPTY_LIST, MEMOIZE, GET 0, APPEND, STOP
# Creates: L = []; L.append(L)
payload = b'\x80\x02]\x94g0\na.'
check_safety(Pickled.load(payload)) # Crashes with RecursionErrorImpact
Denial of Service (Availability). If Fickling is deployed as a security scanner for a web service, ML pipeline, or CI/CD system, an attacker can crash the scanning service by submitting a 7-byte malicious pickle file.