Shinigami81

**Name of the Vulnerable Software and Affected Versions** PySpector versions 0.1.6 and prior **Description** PySpector, a static analysis security testing framework for Python development, is affected by a security validation bypass in its plugin system. The `validate plugin code()` function in `plugin system.py` is designed to block dangerous API calls before a plugin is executed. However, the `resolve name()` helper function only handles `ast.Name` and `ast.Attribute` node types, failing to recognize other node types like `ast.Call`. This allows plugins to bypass the security check by using indirect function calls via `getattr()` (for example, `getattr(os, 'system')`). Consequently, a malicious plugin can execute arbitrary system commands on the user's machine when loaded. An attacker who can deliver a malicious plugin file to a PySpector user and convince them to install it can achieve arbitrary code execution on the user's local machine. Exploitation requires the victim to explicitly run `pyspector plugin install --trust` on the malicious file. Once the plugin is trusted and executed, an attacker can gain full read/write access to the local filesystem, exfiltrate sensitive data, establish persistence mechanisms, and potentially move laterally in CI/CD environments. **Recommendations** Versions prior to 0.1.7 are affected. Update PySpector to version 0.1.7 or later.