CVE-2018-8097
Description
Eve before 0.7.5 allows remote attackers to achieve arbitrary code execution by injecting Python code into the where parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eve before 0.7.5 allows remote attackers to achieve arbitrary code execution by injecting Python code into the `where` parameter.
Vulnerability
A code injection vulnerability exists in io/mongo/parser.py of Eve (pyeve) versions prior to 0.7.5 [1][2][3]. The where parameter, used for filtering MongoDB queries, is unsafely passed to Python's eval() or similar dynamic execution functions, allowing remote attackers to inject arbitrary Python code [1][3]. No authentication is required to reach this code path, as the where parameter is parsed during request processing [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious Python code in the where parameter to a vulnerable Eve application [1][3]. No authentication or special privileges are required [1][4]. The attacker only needs network access to the exposed endpoint; the vulnerable code path is triggered automatically when a request with the where parameter is processed [1].
Impact
Successful exploitation yields arbitrary code execution on the server running the Eve application [1][3]. The injected code runs with the privileges of the Eve process, typically leading to full compromise of the application and potentially the underlying host [1]. The impact includes complete loss of confidentiality, integrity, and availability (CIA) for the affected system [1].
Mitigation
A fix was implemented in Eve version 0.7.5, released with commit f8f7019ffdf9b4e05faf95e1f04e204aa4c91f98 [3][4]. Upgrading to Eve 0.7.5 or later is the official mitigation. No workarounds have been documented; administrators of older versions should update immediately. This CVE is listed in the GitHub Advisory Database [1] and the PyPA advisory database [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
evePyPI | < 0.7.5 | 0.7.5 |
Affected products
1Patches
11 file changed · +9 −6
eve/io/mongo/parser.py+9 −6 modified@@ -122,16 +122,19 @@ def visit_Call(self, node): datetime(). """ if isinstance(node.func, ast.Name): - expr = None if node.func.id == 'ObjectId': - expr = "('" + node.args[0].s + "')" + try: + self.current_value = ObjectId(node.args[0].s) + except: + pass elif node.func.id == 'datetime': values = [] for arg in node.args: - values.append(str(arg.n)) - expr = "(" + ", ".join(values) + ")" - if expr: - self.current_value = eval(node.func.id + expr) + values.append(arg.n) + try: + self.current_value = datetime(*values) + except: + pass def visit_Attribute(self, node): """ Attribute handler ('Contact.Id').
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8jxq-75rw-fhj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8097ghsaADVISORY
- github.com/pyeve/eve/commit/f8f7019ffdf9b4e05faf95e1f04e204aa4c91f98ghsax_refsource_MISCWEB
- github.com/pyeve/eve/issues/1101ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/eve/PYSEC-2018-8.yamlghsaWEB
News mentions
0No linked articles in our index yet.