CVE-2025-24359
📋 TL;DR
CVE-2025-24359 is a code execution vulnerability in the ASTEVAL Python library that allows attackers to bypass security restrictions and execute arbitrary Python code when they control input to the library. This affects any application using vulnerable versions of ASTEVAL to evaluate untrusted user input. The vulnerability exploits improper handling of formatted string AST nodes to access protected object attributes.
💻 Affected Systems
- ASTEVAL Python library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data theft, and lateral movement within the environment.
Likely Case
Arbitrary code execution within the application context, potentially allowing data access, privilege escalation, or denial of service.
If Mitigated
Limited impact if input validation prevents malicious payloads from reaching the vulnerable function.
🎯 Exploit Status
Exploitation requires understanding of Python AST nodes and exception handling. The advisory includes technical details but no ready-to-use exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.6
Vendor Advisory: https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
Restart Required: No
Instructions:
1. Update ASTEVAL package: pip install --upgrade asteval==1.0.6
2. Verify no downgrades occur in dependency resolution
3. Test application functionality with the updated version
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to prevent malicious payloads from reaching the ASTEVAL evaluator.
Disable Formatted String Evaluation
allConfigure ASTEVAL to disable formatted string evaluation if not required by application functionality.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all data passed to ASTEVAL functions
- Isolate the vulnerable component in a sandboxed environment with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check installed ASTEVAL version: pip show asteval | grep VersionCheck Version:
pip show asteval | grep VersionVerify Fix Applied:
Confirm version is 1.0.6 or higher: pip show asteval | grep Version📡 Detection & Monitoring
Log Indicators:
- Unusual Python exception patterns, particularly AttributeError exceptions in ASTEVAL context
- Unexpected process execution from Python applications using ASTEVAL
Network Indicators:
- Outbound connections from applications that shouldn't make network calls
SIEM Query:
Process creation events from Python processes with command lines containing suspicious Python code or ASTEVAL-related operations