CVE-2025-24359: ASTEVAL Allows Maliciously Crafted Format Strings to Lead to Sandbox Escape
(updated )
If an attacker can control the input to the asteval library, they can bypass asteval’s restrictions and execute arbitrary Python code in the context of the application using the library.
References
- github.com/advisories/GHSA-3wwr-3g9f-9gc7
- github.com/lmfit/asteval
- github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py
- github.com/lmfit/asteval/commit/45bb47533f7abb5479618ae7f6a809215700dcb2
- github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
- lucumr.pocoo.org/2016/12/29/careful-with-str-format
- nvd.nist.gov/vuln/detail/CVE-2025-24359
Detect and mitigate CVE-2025-24359 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →