CVE-2023-26145

Name of the Vulnerable Software and Affected Versions pydash versions prior to 6.0.0

Description The issue affects pydash methods such as pydash.objects.invoke() and pydash.collections.invoke map(), which accept dotted paths to target nested Python objects. These paths can be used to target internal class attributes and dict items, allowing retrieval, modification, or invocation of nested Python objects. The pydash.objects.invoke() method is vulnerable to Command Injection when the source object is not a built-in object and the attacker has control over the path string and the argument to pass to the invoked method. The pydash.collections.invoke map() method is also vulnerable but harder to exploit due to limited control over the argument passed to the invoked function.

Recommendations For versions prior to 6.0.0, consider disabling the pydash.objects.invoke() and pydash.collections.invoke map() methods until a patch is available. Restrict access to these methods to minimize the risk of exploitation. Avoid using the path and argument variables in the affected methods until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.