CVE-2013-4409
Description
An eval() vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Djblets ≤0.7.21 uses unsafe eval() on JSON request data, letting remote attackers execute arbitrary Python code.
Root
Cause
The vulnerability resides in Djblets versions 0.7.21 and earlier used by Review Board before 1.7.15. The Django extension library relied on Python's eval() routine to deserialize JSON data that contained repr()-encoded objects. Passing untrusted input to eval() allows arbitrary Python code execution without proper sanitization [1][4].
Exploitation
An unauthenticated remote attacker can craft a malicious JSON request that includes a string which, when passed to eval(), executes arbitrary Python instructions on the server processing the request. No prior authentication is required. The attack surface is the JSON parsing endpoint exposed by any application using the vulnerable Djblets library [4].
Impact
Successful exploitation grants the attacker arbitrary code execution within the context of the web application process (e.g., mod_wsgi). This can lead to full server compromise, including data theft, privilege escalation, or denial-of-service. The Red Hat advisory notes that the impact could range from data-disclosure to complete compromise, with at least denial-of-service guaranteed [1][4].
Mitigation
The vulnerability is fixed in Djblets 0.7.21.1 and Review Board 1.7.15, where eval() was replaced by literal_eval() which only permits literal values, not arbitrary code. Operators must upgrade immediately. Users running Python 2.5 or earlier remain vulnerable because the fix falls back to the insecure eval() method [4]. The CVE is marked as CRITICAL with CVSS 10.0 in Red Hat's assessment [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
djbletsPyPI | < 0.6.30 | 0.6.30 |
djbletsPyPI | >= 0.7.0, < 0.7.19 | 0.7.19 |
ReviewBoardPyPI | < 1.7.15 | 1.7.15 |
Affected products
6- Range: < 1.7.15
- ghsa-coords2 versions
< 0.6.30+ 1 more
- (no CPE)range: < 0.6.30
- (no CPE)range: < 1.7.15
- Python Software Foundation; Beanbag/Djbletsv5Range: 0.7.21
- Python Software Foundation; Beanbag/Review Boardv5Range: before 1.7.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- github.com/advisories/GHSA-58h8-44mg-r43xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4409ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.htmlghsax_refsource_MISCWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.htmlghsax_refsource_MISCWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.htmlghsax_refsource_MISCWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.htmlghsax_refsource_MISCWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.htmlghsax_refsource_MISCWEB
- www.securityfocus.com/bid/63029mitrex_refsource_MISC
- access.redhat.com/security/cve/cve-2013-4409ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/88059ghsax_refsource_MISCWEB
- github.com/djblets/djblets/blob/release-0.7.19/NEWSghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/djblets/PYSEC-2019-175.yamlghsaWEB
- security-tracker.debian.org/tracker/CVE-2013-4409ghsax_refsource_MISCWEB
- web.archive.org/web/20200228151135/https://www.securityfocus.com/bid/63029ghsaWEB
- www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15ghsaWEB
News mentions
0No linked articles in our index yet.