CVE-2025-24359

CVE-2025-24359 is a high-severity vulnerability (CVSS 8.4) in the ASTEVAL library, a Python expression and statement evaluator, affecting versions prior to 1.0.6. The issue stems from improper handling of FormattedValue AST nodes in the on_formattedvalue method, which invokes the str class's format method insecurely via fmt.format(__fstring__=val). This allows attackers controlling input to asteval to manipulate the format string, bypass the library's sandbox restrictions, and execute arbitrary Python code within the host application's context. It is associated with CWE-134 (Use of Externally-Controlled Format String) and CWE-749 (Exposed Dangerous Method or Function).

An attacker with the ability to supply input to an application using asteval can exploit this locally (AV:L) with low complexity (AC:L) and no privileges (PR:N), requiring no user interaction (UI:N). By crafting input that triggers an AttributeError exception during formatting, the attacker can catch the exception and access its obj attribute, enabling arbitrary read/write access to protected object properties and full code execution in the application's security context, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

The GitHub security advisory (GHSA-3wwr-3g9f-9gc7) and affected code confirm that upgrading to version 1.0.6 resolves the issue by addressing the insecure format handling. Additional context on str.format risks is provided in a 2016 blog post by Armin Ronacher.