High severity8.4NVD Advisory· Published Jan 24, 2025· Updated Apr 15, 2026

CVE-2025-24359

Description

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the asteval library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how asteval performs handling of FormattedValue AST nodes. In particular, the on_formattedvalue value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call fmt.format(__fstring__=val). This vulnerability can be exploited to access protected attributes by intentionally triggering an AttributeError exception. The attacker can then catch the exception and use its obj attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
astevalPyPI	< 1.0.6	1.0.6

Patches

40c31962bbdf

https://github.com/lmfit/astevalvia osv

45bb47533f7a

Merge commit from fork

https://github.com/lmfit/astevalMatt NewvilleJan 18, 2025via ghsa

commit

3 files changed · +95 −20

asteval/asteval.py+5 −19 modified

@@ -44,9 +44,9 @@
 import time
 from sys import exc_info, stderr, stdout
 
-from .astutils import (HAS_NUMPY, UNSAFE_ATTRS, UNSAFE_ATTRS_DTYPES,
+from .astutils import (HAS_NUMPY,
                        ExceptionHolder, ReturnedNone, Empty, make_symbol_table,
-                       numpy, op2func, valid_symbol_name, Procedure)
+                       numpy, op2func, safe_getattr, safe_format, valid_symbol_name, Procedure)
 
 ALL_NODES = ['arg', 'assert', 'assign', 'attribute', 'augassign', 'binop',
              'boolop', 'break', 'bytes', 'call', 'compare', 'constant',
@@ -513,7 +513,7 @@ def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec')
         fmt = '{__fstring__}'
         if node.format_spec is not None:
             fmt = f'{{__fstring__:{self.run(node.format_spec)}}}'
-        return fmt.format(__fstring__=val)
+        return safe_format(fmt, self.raise_exception, node, __fstring__=val)
 
     def _getsym(self, node):
         val = self.symtable.get(node.id, ReturnedNone)
@@ -573,22 +573,8 @@ def on_attribute(self, node):    # ('value', 'attr', 'ctx')
         sym = self.run(node.value)
         if ctx == ast.Del:
             return delattr(sym, node.attr)
-        #
-        unsafe = (node.attr in UNSAFE_ATTRS or
-                 (node.attr.startswith('__') and node.attr.endswith('__')))
-        if not unsafe:
-            for dtype, attrlist in UNSAFE_ATTRS_DTYPES.items():
-                unsafe = isinstance(sym, dtype) and node.attr in attrlist
-                if unsafe:
-                    break
-        if unsafe:
-            msg = f"no safe attribute '{node.attr}' for {repr(sym)}"
-            self.raise_exception(node, exc=AttributeError, msg=msg)
-        else:
-            try:
-                return getattr(sym, node.attr)
-            except AttributeError:
-                pass
+        
+        return safe_getattr(sym, node.attr, self.raise_exception, node)
 
 
     def on_assign(self, node):    # ('targets', 'value')

asteval/astutils.py+49 −1 modified

@@ -13,6 +13,7 @@
 from tokenize import ENCODING as tk_ENCODING
 from tokenize import NAME as tk_NAME
 from tokenize import tokenize as generate_tokens
+from string import Formatter
 
 builtins = __builtins__
 if not isinstance(builtins, dict):
@@ -33,6 +34,14 @@
 except ImportError:
     pass
 
+# This is a necessary API but it's undocumented and moved around
+# between Python releases
+try:
+    from _string import formatter_field_name_split
+except ImportError:
+    formatter_field_name_split = lambda \
+        x: x._formatter_field_name_split()
+
 
 
 MAX_EXPONENT = 10000
@@ -59,7 +68,7 @@
                 '__getattribute__', '__subclasshook__', '__new__',
                 '__init__', 'func_globals', 'func_code', 'func_closure',
                 'im_class', 'im_func', 'im_self', 'gi_code', 'gi_frame',
-                'f_locals', '__asteval__')
+                'f_locals', '__asteval__','mro')
 
 # unsafe attributes for particular objects, by type
 UNSAFE_ATTRS_DTYPES = {str: ('format', 'format_map')}
@@ -266,6 +275,45 @@ def safe_lshift(arg1, arg2):
              ast.UAdd: lambda a: +a,
              ast.USub: lambda a: -a}
 
+# Safe version of getattr
+
+def safe_getattr(obj, attr, raise_exc, node):
+    """safe version of getattr"""
+    unsafe = (attr in UNSAFE_ATTRS or
+            (attr.startswith('__') and attr.endswith('__')))
+    if not unsafe:
+        for dtype, attrlist in UNSAFE_ATTRS_DTYPES.items():
+            unsafe = (isinstance(obj, dtype) or obj is dtype) and attr in attrlist
+            if unsafe:
+                break
+    if unsafe:
+        msg = f"no safe attribute '{attr}' for {repr(obj)}"
+        raise_exc(node, exc=AttributeError, msg=msg)
+    else:
+        try:
+            return getattr(obj, attr)
+        except AttributeError:
+            pass
+
+class SafeFormatter(Formatter):
+    def __init__(self, raise_exc, node):
+        self.raise_exc = raise_exc
+        self.node = node
+        super().__init__()
+
+    def get_field(self, field_name, args, kwargs):
+        first, rest = formatter_field_name_split(field_name)
+        obj = self.get_value(first, args, kwargs)
+        for is_attr, i in rest:
+            if is_attr:
+                obj = safe_getattr(obj, i, self.raise_exc, self.node)
+            else:
+                obj = obj[i]
+        return obj, first
+    
+def safe_format(_string, raise_exc, node, *args, **kwargs):
+    formatter = SafeFormatter(raise_exc, node)
+    return formatter.vformat(_string, args, kwargs)                    
 
 def valid_symbol_name(name):
     """Determine whether the input symbol name is a valid name.

tests/test_asteval.py+41 −0 modified

@@ -1586,6 +1586,47 @@ def my_func(x, y):
     etype, fullmsg = error.get_error()
     assert 'no safe attribute' in error.msg
     assert etype == 'AttributeError'
+    
+@pytest.mark.parametrize("nested", [False, True])
+def test_unsafe_format_string_access(nested):
+    """
+    addressing https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
+    """
+    interp = make_interpreter(nested_symtable=nested)
+    interp(textwrap.dedent("""
+            f"{dict:'\\x7B__fstring__.__class__.s\\x7D'}"
+
+     """),  raise_errors=False)
+
+    error = interp.error[0]
+    etype, fullmsg = error.get_error()
+    assert 'no safe attribute' in error.msg
+    assert etype == 'AttributeError'
+    
+@pytest.mark.parametrize("nested", [False, True])
+def test_unsafe_attr_dtypes(nested):
+    """
+    addressing https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
+    """
+    interp = make_interpreter(nested_symtable=nested)
+    interp(textwrap.dedent("""
+            '{0}'.format(dict)
+     """),  raise_errors=False)
+
+    error = interp.error[0]
+    etype, fullmsg = error.get_error()
+    assert 'no safe attribute' in error.msg
+    assert etype == 'AttributeError'
+    
+    interp = make_interpreter(nested_symtable=nested)
+    interp(textwrap.dedent("""
+            str.format('{0}', dict)
+     """),  raise_errors=False)
+    
+    error = interp.error[0]
+    etype, fullmsg = error.get_error()
+    assert 'no safe attribute' in error.msg
+    assert etype == 'AttributeError'
 
 
 @pytest.mark.parametrize("nested", [False, True])

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.546
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000