Main Vulnerability Database Vulnerabilities #VU106024

Code Injection in asteval - CVE-2025-24359

Published: March 25, 2025

Vulnerability identifier: #VU106024

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-24359

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: lmfit

Affected software:
asteval

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and execute arbitrary Python code on the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2025-24359

Install updates from vendor's website.

Sources

https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507
https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
https://lucumr.pocoo.org/2016/12/29/careful-with-str-format

Code Injection in asteval - CVE-2025-24359

Detailed vulnerability description

How to mitigate CVE-2025-24359

Sources

Please verify you're human