{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24359", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-20T15:18:26.989Z", "datePublished": "2025-01-24T16:52:44.304Z", "dateUpdated": "2025-02-12T20:01:18.799Z"}, "containers": {"cna": {"title": "ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-134", "lang": "en", "description": "CWE-134: Use of Externally-Controlled Format String", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-749", "lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"}, {"name": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507", "tags": ["x_refsource_MISC"], "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"}, {"name": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format", "tags": ["x_refsource_MISC"], "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"}], "affected": [{"vendor": "lmfit", "product": "asteval", "versions": [{"version": "< 1.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-25T00:54:58.877Z"}, "descriptions": [{"lang": "en", "value": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue."}], "source": {"advisory": "GHSA-3wwr-3g9f-9gc7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24359", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-24T17:28:13.184358Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:01:18.799Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24359", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-20T15:18:26.989Z", "datePublished": "2025-01-24T16:52:44.304Z", "dateUpdated": "2025-01-25T00:54:58.877Z"}, "containers": {"cna": {"title": "ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-134", "lang": "en", "description": "CWE-134: Use of Externally-Controlled Format String", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-749", "lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"}, {"name": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507", "tags": ["x_refsource_MISC"], "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"}, {"name": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format", "tags": ["x_refsource_MISC"], "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"}], "affected": [{"vendor": "lmfit", "product": "asteval", "versions": [{"version": "< 1.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-25T00:54:58.877Z"}, "descriptions": [{"lang": "en", "value": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue."}], "source": {"advisory": "GHSA-3wwr-3g9f-9gc7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24359", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-24T17:28:13.184358Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-02-12T19:55:36.870Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue."}, {"lang": "es", "value": "ASTEVAL es un evaluador de expresiones y declaraciones de Python. Antes de la versi\u00f3n 1.0.6, si un atacante pod\u00eda controlar la entrada de `asteval` librer\u00eda, pod\u00eda eludir las restricciones de asteval y ejecutar c\u00f3digo Python arbitrario en el contexto de la aplicaci\u00f3n utilizando tlibrer\u00edaary. La vulnerabilidad tiene su ra\u00edz en la forma en que `asteval` realiza el manejo de los nodos AST `FormattedValue`. En particular, el valor `on_formattedvalue` utiliza el m\u00e9todo de formato peligroso de la clase str. El c\u00f3digo permite a un atacante manipular el valor de la cadena utilizada en la llamada peligrosa `fmt.format(__fstring__=val)`. Esta vulnerabilidad se puede explotar para acceder a atributos protegidos activando intencionalmente una excepci\u00f3n `AttributeError`. El atacante puede entonces capturar la excepci\u00f3n y utilizar su atributo `obj` para obtener acceso arbitrario a propiedades de objetos confidenciales o protegidas. La versi\u00f3n 1.0.6 corrige este problema."}], "id": "CVE-2025-24359", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-24T17:15:16.197", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"}, {"source": "security-advisories@github.com", "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"}, {"source": "security-advisories@github.com", "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}, {"lang": "en", "value": "CWE-749"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}