CVE-2023-26145: 
Python vulnerability analysis and mitigation

CVE-2023-26145 affects versions of the pydash package before 6.0.0. The vulnerability was discovered in September 2023 and involves command injection risks in certain pydash methods that handle dotted paths for nested object access. The affected methods include pydash.objects.invoke() and pydash.collections.invoke_map() (NVD, Snyk Advisory).

The vulnerability exists in pydash methods that accept dotted paths (Deep Path Strings) to target nested Python objects. These paths can be used to target internal class attributes and dict items for retrieval, modification, or invocation of nested Python objects. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) from NIST and 7.4 (HIGH) from Snyk, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When successfully exploited, the vulnerability can lead to command injection, potentially resulting in unauthorized code execution. The impact includes total loss of confidentiality and integrity, allowing attackers to access restricted information and modify protected files (Snyk Advisory).

The vulnerability has been fixed in pydash version 6.0.0. The fix prevents access to dunder-methods that could expose access to globals through leaky attributes such as obj.init.globals. Users should upgrade to version 6.0.0 or higher to mitigate this vulnerability (GitHub Patch).