CVE-2025-24359: A Critical Vulnerability in ASTEVAL Library

A Critical Vulnerability in ASTEVAL Library

CVE-2025-24359

CVE-2025-24359 is a significant vulnerability found in the ASTEVAL library, which is designed for evaluating Python expressions and statements. This vulnerability, identified as having a high severity with a base score of 8.4, allows attackers to execute arbitrary Python code within the context of applications utilizing the library. The issue arises from improper handling of FormattedValue Abstract Syntax Tree (AST) nodes in the library.

Technical Details

Vulnerability Mechanism

The vulnerability is primarily rooted in the method by which ASTEVAL processes FormattedValue nodes. Specifically, the on_formattedvalue function employs the potentially dangerous format method of Python's string class. This allows an attacker to manipulate the input string used in the call:


python
fmt.format(__fstring__=val)

By controlling this input, an attacker can intentionally trigger an AttributeError exception. Upon catching this exception, they can exploit its obj attribute to gain unauthorized access to sensitive or protected properties of objects within the application.

Impact and Exploitation

An attacker capable of providing crafted input to the ASTEVAL library can bypass its security restrictions, leading to a sandbox escape. This means that they can execute arbitrary code, potentially compromising the entire application and accessing sensitive data.

Proof of Concept

A proof-of-concept (PoC) has been demonstrated where an attacker could execute a command such as whoami on the host machine by exploiting this vulnerability. This highlights the real-world implications of the flaw and underscores the urgency for users to update their libraries.

Mitigation

The vulnerability was addressed in version 1.0.6 of ASTEVAL, which includes patches to prevent such exploitation. Users are strongly advised to upgrade to this version or later to ensure their applications are secure against this vulnerability.

Sample Scenarios

Scenario 1: Web Application Vulnerability
- A web application uses ASTEVAL for evaluating user-submitted mathematical expressions. An attacker crafts an input that triggers the vulnerability, allowing them to execute arbitrary code that could read sensitive files from the server.
Scenario 2: API Exploitation
- An API endpoint utilizes ASTEVAL for processing dynamic queries based on user input. An attacker sends a maliciously crafted query that exploits CVE-2025-24359, leading to unauthorized access to database records or execution of administrative commands.
Scenario 3: Sandbox Environment Bypass
- In a sandboxed environment where ASTEVAL is used for executing scripts safely, an attacker manages to manipulate the input string and escape the sandbox, gaining full access to system resources.

Conclusion

CVE-2025-24359 represents a critical security risk for applications relying on the ASTEVAL library prior to version 1.0.6. The ability for attackers to execute arbitrary code poses severe threats, necessitating immediate action from developers and system administrators to update their systems and mitigate potential risks associated with this vulnerability.

Trending

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

Remote Code Execution in EV Charging Stations

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

High-Severity Referrer-Policy Vulnerability in Google Chrome

🚨 Security Alarm on Apple Devices 🚨

Critical Vulnerability in KUNBUS Revolution Pi OS