GHSA-vp47-9734-prjw: 
Python vulnerability analysis and mitigation

ASTEVAL (pip package) version 1.0.5 and earlier contains a sandbox escape vulnerability that allows attackers to bypass safety restrictions and execute arbitrary Python code within the application's context. The vulnerability was discovered and disclosed on January 23, 2025, affecting all versions up to and including 1.0.5, with a patch available in version 1.0.6. This high severity vulnerability (CVSS score 8.4) impacts the core security functionality of the ASTEVAL library (GitHub Advisory).

The vulnerability stems from improper attribute access verification in the ASTEVAL library's on_attribute node handler. The core issue lies in how the Procedure class exposes AST nodes through the unprotected body attribute. The vulnerability exploits a Time of Check, Time of Use (TOCTOU) condition where attackers can modify node.attr during runtime verification checks. The security check uses an unsafe variable based on node.attr validation, but attackers can manipulate the AST node to bypass these restrictions and gain access to restricted attributes like getattribute (GitHub Advisory).

When successfully exploited, this vulnerability allows attackers to execute arbitrary Python code within the application's context, leading to complete system compromise. The CVSS base metrics indicate high impact across confidentiality, integrity, and availability, though the attack requires local access. The vulnerability enables attackers to bypass sandbox restrictions and potentially execute system commands (GitHub Advisory).

Users should upgrade to ASTEVAL version 1.0.6 or later, which contains security hardening fixes that address this vulnerability. The patch was implemented through multiple security hardening fixes in the codebase (GitHub Commit).