CVE-2025-24359

Name of the Vulnerable Software and Affected Versions asteval versions prior to 1.0.6

Description The issue is rooted in how asteval performs handling of FormattedValue AST nodes, specifically the on formattedvalue value using the dangerous format method of the str class. This allows an attacker to manipulate the value of the string used in the dangerous call fmt.format( fstring =val). The vulnerability can be exploited to access protected attributes by intentionally triggering an AttributeError exception, then catching the exception and using its obj attribute to gain arbitrary access to sensitive or protected object properties.

Recommendations For versions prior to 1.0.6, update to version 1.0.6 to fix the issue. As a temporary workaround, consider restricting the input to the asteval library to prevent manipulation of the FormattedValue AST nodes. Additionally, avoid using the on formattedvalue function until the issue is resolved.