Evidence Appendix
Last checked: 2026-05-02.
This is supporting evidence for Current Coverage.
This page records code locations and checker coverage for the current Python pickle-backed CVE evidence set. “Code location” means the most precise public location available from NVD, GHSA, CVE, OSV, vendor advisory, or patch references. Some rows are exact files/functions; some are advisory-described endpoints where source confirmation is still needed.
Checker Validation
The current concrete fixtures are
tests/fixtures/fix_cve_downstream_wrappers.py and
tests/fixtures/fix_cve_source_direct_pickle.py. Trusted-input enforcement for
real APIs is validated in tests/fixtures/fix_trusted_real_apis.py.
Validated on 2026-05-02:
| Checker | Result |
|---|---|
mypy --strict tests/fixtures/fix_cve_downstream_wrappers.py |
Expected diagnostics include unsafe-return assignments plus raw trusted-input errors for gated byte/path loader APIs. |
pyright --warnings tests/fixtures/fix_cve_downstream_wrappers.py |
Expected diagnostics include unsafe-return assignments plus raw trusted-input errors for gated byte/path loader APIs, plus missing-module-source warnings for overlay-only packages. |
ty check tests/fixtures/fix_cve_downstream_wrappers.py |
Expected diagnostics include unsafe assignments plus raw trusted-input errors for gated byte/path loader APIs. ty still resolves stdlib marshal before Falcon’s overlay. |
mypy --strict tests/fixtures/fix_cve_source_direct_pickle.py |
15 expected diagnostics: 9 unsafe-return assignments plus 6 raw pickle.loads trusted-input errors. |
pyright --warnings tests/fixtures/fix_cve_source_direct_pickle.py |
15 expected errors. |
ty check tests/fixtures/fix_cve_source_direct_pickle.py |
15 expected diagnostics. |
mypy --strict tests/fixtures/fix_trusted_real_apis.py |
Expected diagnostics include raw-input errors and preserved Unsafe[...] assignment errors for the current trusted-input gates. |
pyright --warnings tests/fixtures/fix_trusted_real_apis.py |
Expected diagnostics include raw-input errors and preserved Unsafe[...] assignment errors for the current trusted-input gates. |
ty check tests/fixtures/fix_trusted_real_apis.py |
Expected diagnostics include raw-input errors and preserved Unsafe[...] assignment errors for the current trusted-input gates. |
The fixture currently validates these target-stub and sink-family stubs: cloudpickle, dill, joblib, jsonpickle, marshal, unsafe YAML loaders, NumPy, pandas read_pickle, pandas io.pickle.read_pickle, skops Card.get_model, Embedchain OpenAPILoader.load_data, LangChain community FAISS, legacy LangChain FAISS, Kedro, LlamaIndex, pyfory, python-socketio, smolagents, Step-Video-T2V placeholder API, PyTorch, Pipecat, torch_musa, vLLM weight iterators, InvokeAI model-loading helpers, and Horovod cloudpickle codec.
Coverage States
| State | Meaning |
|---|---|
validated target stub |
A package/API stub exists and the current fixture produces checker failures. |
implemented target stub |
A package/API stub exists, but no per-CVE fixture is present yet. |
source-only |
Falcon would catch the direct pickle.load(s) call if the vulnerable project source were type-checked with Falcon stubs, but there is no consumer API stub. |
missing sink family |
The CVE uses a related sink that Falcon has not stubbed yet. No current evidence-set rows remain in this state after the cloudpickle and jsonpickle stubs. |
out of scope |
The core weakness is analyzer classification or another property that is not a typed application value crossing from unsafe source to trusted sink. |
Triage Matrix
| CVE | Project | Public code location / sink | Falcon coverage | mypy / pyright status | Evidence |
|---|---|---|---|---|---|
| CVE-2019-6446 | NumPy | numpy.load(..., allow_pickle=True) object-array loading |
validated target stub | Validated in fixture: np.load(..., allow_pickle=True) produces Unsafe[Any] assignment error. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-6446 |
| CVE-2024-5998 | LangChain | FAISS.deserialize_from_bytes; also FAISS.load_local in wrapper policy |
validated target stub plus trusted-input gate | Validated for community and legacy FAISS byte/path loaders: raw inputs are rejected, TrustedBytes / TrustedPath inputs are accepted, and returns remain Unsafe[...]. |
Enginsight: https://cve.enginsight.com/2024/5998/index.html |
| CVE-2024-9701 | Kedro | kedro.io.ShelveStore reads backed by stdlib shelve |
validated target stub | Validated for ShelveStore.__getitem__, get, and load. |
Enginsight: https://cve.enginsight.com/2024/9701/index.html |
| CVE-2025-3108 | LlamaIndex | llama_index.core.workflow.JsonPickleSerializer.deserialize |
validated target stub | Validated for JsonPickleSerializer.deserialize: the public string API returns Unsafe[...]. No trusted-input gate is claimed for this wrapper. |
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3108 |
| CVE-2025-32434 | PyTorch | torch.load(..., weights_only=True) |
validated target stub plus trusted-input gate | Validated in fixture: raw torch.load(Path(...)) is rejected, torch.load(TrustedPath) is accepted, and the return still produces an Unsafe[Any] assignment error. Current stub is conservative for all torch.load calls. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32434 |
| CVE-2025-50472 | ModelScope / ms-swift | swift/hub/utils/caching.py, ModelFileSystemCache.load_model_meta, pickle.load |
validated source fixture | Validated in source fixture: direct pickle.load produces Unsafe[Any]; no swift consumer stub yet. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50472 |
| CVE-2025-61622 | pyfory / pyfury | pickle fallback serializer APIs | validated target stub | Validated in fixture: pyfory.loads(...) produces Unsafe[Any] assignment error. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61622 |
| CVE-2025-61765 | python-socketio | queue manager deserialization handlers | validated target stub | Validated for socketio.RedisManager()._handle_emit(...) and _handle_callback(...); deployment trust of the queue is not type-catchable. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61765 |
| CVE-2025-62373 | Pipecat | LivekitFrameSerializer.deserialize |
validated target stub plus trusted-input gate | Validated in fixture: raw bytes are rejected, TrustedBytes is accepted, and the return remains Unsafe[...]. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62373 |
| CVE-2025-65213 | torch_musa | torch_musa.utils.compare_tool.compare_for_single_op; nan_inf_track_for_single_op |
validated target stub plus trusted-input gate | Validated for both compare utilities: raw str / Path inputs are rejected, TrustedPath is accepted, and returns remain Unsafe[...]. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65213 |
| CVE-2025-14931 | smolagents | Remote Python Executor pickle parsing | validated placeholder stub, API uncertain | Validated for placeholder RemotePythonExecutor.deserialize and loads; exact vulnerable API still needs source confirmation before production claims. |
CVE Details: https://www.cvedetails.com/cve/CVE-2025-14931/ |
| CVE-2025-57622 | Step-Video-T2V | api/call_remote_server.py; /vae-api, /caption-api, pickle.loads(request.get_data()) |
validated placeholder stub plus source-only | Direct source call would be caught. Placeholder stepfun_ai.call_remote_server is now fixture-validated but still needs source/API confirmation. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57622 |
| CVE-2026-26215 | manga-image-translator | /simple_execute/{method}, /execute/{method}, pickle.loads endpoint logic |
validated source fixture | Validated in source fixture: direct pickle.loads produces Unsafe[Any]; nonce/auth bypass is not type-catchable. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26215 |
| CVE-2026-25874 | LeRobot | async inference gRPC calls: SendPolicyInstructions, SendObservations, GetActions; pickle.loads |
validated source fixture | Validated in source fixture: direct pickle.loads produces Unsafe[Any]; unauthenticated gRPC/TLS boundary is outside current type model. |
CVEFeed: https://cvefeed.io/vuln/detail/CVE-2026-25874 |
| CVE-2026-23946 | Tendenci | Helpdesk /reports/, run_report(), pickle.loads |
validated source fixture | Validated in source fixture: direct pickle.loads produces Unsafe[Any]; authenticated staff workflow and module enablement are out of type scope. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23946 |
| CVE-2025-64512 | pdfminer.six | CMapDB._load_data(), pickle.loads() for .pickle.gz CMap data |
validated source fixture | Validated in source fixture: direct pickle.loads produces Unsafe[Any]; a consumer-facing PDF API stub would need TrustedPath / TrustedBytes design. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64512 |
| CVE-2026-3059 | SGLang | python/sglang/multimodal_gen/runtime/scheduler_client.py, ZMQ broker pickle.loads |
validated source fixture | Validated in source fixture: direct pickle.loads produces Unsafe[Any]; broker auth is outside current type model. Companion source shapes cover SGLang encoder disaggregation and replay dump pickle paths. |
Enginsight: https://cve.enginsight.com/2026/3059/index.html |
| CVE-2025-56005 | PLY | yacc(..., picklefile=...), pickle.load; disputed |
validated source fixture, disputed | Validated in source fixture: direct pickle.load produces Unsafe[Any]; disputed CVE needs policy note before target stubbing. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56005 |
| CVE-2025-62703 | Fugue | fugue/rpc/flask.py, _decode(), cloudpickle.loads() |
validated sink-family stub, source-only wrapper | cloudpickle.loads is fixture-validated; current wrapper stubbing is withheld because current upstream source has moved away from that private cloudpickle helper. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62703 |
| CVE-2025-6279 | Upsonic | /tools/add_tool, cloudpickle.loads |
validated sink-family stub | cloudpickle.loads is fixture-validated; Upsonic route/API fixture still needs stable import path. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6279 |
| CVE-2024-10190 | Horovod | ElasticRendezvousHandler._put_value -> codec.loads_base64(value) -> cloudpickle.loads(decoded) |
validated target stub plus direct sink-family gate | Validated for horovod.runner.common.util.codec.loads_base64; the wrapper remains a post-return quarantine claim, while direct cloudpickle.loads now requires TrustedBytes. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10190 |
| CVE-2024-9053 | vLLM | AsyncEngineRPCServer, run_server_loop(), _make_handler_coro(), cloudpickle.loads() |
validated sink-family stub | cloudpickle.loads is fixture-validated; the RPC cloudpickle path remains source-confirmation separate from the implemented PyTorch weight-iterator stubs. |
CVEFeed: https://cvefeed.io/vuln/detail/CVE-2024-9053 |
| CVE-2024-0960 | ai-flow | ai_flow/cli/commands/workflow_command.py, cloudpickle.loads |
validated sink-family stub | cloudpickle.loads is fixture-validated; source-shaped ai-flow fixture still useful. |
Enginsight: https://cve.enginsight.com/2024/0960/index.html |
| CVE-2020-22083 | jsonpickle | jsonpickle.decode(); disputed expected behavior |
validated sink-family stub, disputed | jsonpickle.decode is fixture-validated; disputed/intended-behavior note retained. |
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-22083 |
| CVE-2026-22606 | Fickling | analyzer classifies runpy.run_path() / runpy.run_module() pickle as suspicious |
out of scope | Not a source-to-sink typed application value; this is analyzer policy coverage. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22606 |
| CVE-2026-22607 | Fickling | analyzer classifies cProfile.run() pickle as suspicious |
out of scope | Not a source-to-sink typed application value; this is analyzer policy coverage. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22607 |
Current Evidence State
Implemented Evidence
- AST semantic-policy coverage in
falcon-secure auditfor unsafe literal configuration: class-bodysafe = False, class-bodyremote_exec = True,super().__init__(safe=False), and direct constructor calls with unsafe literal config. - CLI fixtures/tests for the semantic-policy rule.
- Lean backend-evidence model for
StubEvidence,ASTEvidence, andAppTypeEvidence. - Checker fixtures for Kedro
get/load, LlamaIndexdeserialize, python-socketio callback handling, and smolagentsloads. - Stable diagnostic wrapper stubs for vLLM PyTorch weight iterators, InvokeAI model-loading helpers, and Horovod cloudpickle decoding.
- Source-shaped direct-pickle fixtures for ms-swift, Tendenci, pdfminer.six, LeRobot, SGLang scheduler/encoder/replay paths, manga-image-translator, and PLY.
- Lean wrapper-forwarding proof family that turns wrapper evidence into an imported-loader spec.
- Real API trusted-input gates:
pickle.loads,cloudpickle.loads,dill.loads, FAISSdeserialize_from_bytes, and PipecatLivekitFrameSerializer.deserializerequireTrustedBytes;cloudpickle.loadanddill.loadrequireTrustedBinaryIO;joblib.load, pandasread_pickle, pandasio.pickle.read_pickle,torch.load, FAISSload_local, and torch_musa compare utilities requireTrustedPath. falcon-secure auditJSON and human output list trusted-input promotion sites separately from cast escapes.- Lean real API policy bridge tying those enforced stubs to
ImportedLoaderSpec, provenance promotion, and preservedUnsafe[Any]returns. - scikit-learn/joblib, Upsonic, ai-flow, Fugue, and route/file-only rows remain outside implemented wrapper coverage where stable current import paths or public APIs are not confirmed.
Evidence Gaps
- Trusted-input gate extension for additional selected wrapper APIs requires stable public surfaces; FAISS, Pipecat, and torch_musa wrapper gates are now covered for the selected stable import paths.
- OSV candidate normalization and source confirmation are ongoing where evidence is not yet ready to become stable consumer stubs.