CVE-2025-24359HIGH 8.4EPSS p12.3%

CVE-2025-24359CVE-2025-24359

Description

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.22% probability of exploitation · percentile 12.3% · 2026-06-19T12:03:05Z
Published2025-01-24
Last modified2026-04-15

Underlying weaknesses· 2

CWE-134CWE-749

References

  1. https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507
  2. https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
  3. https://lucumr.pocoo.org/2016/12/29/careful-with-str-format

2

TypeTargetConfidenceTier
WeaknessUse of Externally-Controlled Format Stringcwe-1340%live
WeaknessExposed Dangerous Method or Functioncwe-7490%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-12735
CVE
CVE-2025-27516
CVE
CVE-2026-32640
CVE
CVE-2026-10210
CVE
CVE-2026-41507
CVE
CVE-2025-32798
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.