Security vulnerabilities and automated fixes for eval issues
2 posts found
A medium-severity vulnerability was discovered in a Slack data processing component where the use of Python's built-in `eval()` function to parse error message dictionaries could allow an attacker to inject and execute arbitrary code. The fix replaces `eval()` with the safer `ast.literal_eval()`, which safely evaluates only Python literals without executing arbitrary expressions. This change eliminates a critical attack surface that could have been exploited through crafted error messages return
A high-severity code injection vulnerability was discovered and patched in Brownie's network configuration CLI, where the use of Python's `eval()` function on potentially untrusted input could allow attackers to execute arbitrary code. The fix eliminates the dangerous `eval()` call in favor of safer alternatives, closing a door that could have been exploited to fully compromise systems running the affected tooling. This post breaks down how the vulnerability worked, how it was fixed, and what ev