asteval 1.06 Arbitrary Code Execution / Sandbox Escape

An attacker who can pass input to the asteval library, when this is used with numpy functions in the symbol table the default setting, can bypass restrictions and execute arbitrary code as the user who ran the python process. Versions 1.06 and below are affected. CVE pending Sandboxing Python is...

Exposed Dangerous Method or Function

Overview asteval is a Safe, minimalistic evaluator of python expression using ast module Affected versions of this package are vulnerable to Exposed Dangerous Method or Function through the onformattedvalue function. An attacker can manipulate the value of the string used in the dangerous call...

CVE-2025-24359

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the asteval library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is...

CVE-2025-24359

CVE-2025-24359 affects the Python package asteval prior to 1.0.6. The root cause is in the handling of FormattedValue AST nodes in on_formattedvalue, which uses the dangerous Str.format path (fmt.format(fstring =val)). This can allow an attacker who controls input to bypass restrictions and execu...

PT-2025-5341

Name of the Vulnerable Software and Affected Versions asteval versions prior to 1.0.6 Description The issue is rooted in how asteval performs handling of FormattedValue AST nodes, specifically the on formattedvalue value using the dangerous format method of the str class. This allows an attacker ...

GHSA-VP47-9734-PRJW ASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape

Summary If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context. Details The vulnerability is rooted in how asteval performs attribute access verification. In particular, the onattribut...

Exposed Dangerous Method or Function

Overview asteval is a Safe, minimalistic evaluator of python expression using ast module Affected versions of this package are vulnerable to Exposed Dangerous Method or Function stems from the library's attribute access verification method, specifically within the onattribute node handler. The...

awslabs-ccapi-mcp-server (>=1.0.1 <=1.0.18), bridgecrew (>=3.2.415 <=3.2.477) +10 more potentially affected by unknown CVE via asteval (=1.0.5)

asteval PYPI version =1.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on asteval and may be impacted: - awslabs-ccapi-mcp-server =1.0.1, =3.2.415, =3.2.415, =0.1.130, =6.0.0, =5.8.0, =5.8.0, =0.0.8, =0.1.0, =0.14.3 Source cves: unknown CVE Source...