| Titre | HuggingFace smolagents 1.25.0.dev0 CWE-693 |
|---|
| Description | # Technical Details
A Sandbox Escape via with Statement Dunder Call Bypass exists in the evaluate_with() function in src/smolagents/local_python_executor.py (lines 1246-1251) of smolagents. This is an incomplete fix for CVE-2025-9959.
The CVE-2025-9959 fix added dunder method call checks in evaluate_call (lines 910-917), but evaluate_with calls __enter__() and __exit__() directly on context manager objects using Python's native method calling, completely bypassing evaluate_call. A user-defined class with a malicious __enter__ method can use the generator frame escape primitive (gi_frame.f_locals) to mutate authorized_imports and import dangerous modules.
# Vulnerable Code
File: src/smolagents/local_python_executor.py (lines 1246-1251)
Method: evaluate_with()
Why: Calls context_expr.__enter__() and context_expr.__exit__() directly using Python's native method dispatch instead of routing through evaluate_call, completely bypassing the dunder call check.
File: src/smolagents/local_python_executor.py (lines 1257-1262)
Method: evaluate_with() (exit path)
Why: __exit__() is also called directly, not through evaluate_call.
File: src/smolagents/local_python_executor.py (lines 910-917)
Method: evaluate_call()
Why: Contains the dunder check that should block __enter__/__exit__ calls, but evaluate_with bypasses it entirely.
# Reproduction
1. Install smolagents (pip install smolagents).
2. Create a LocalPythonExecutor instance.
3. Define a class with a malicious __enter__ method that uses gi_frame.f_locals to mutate authorized_imports and append "subprocess".
4. Use the class in a with statement - evaluate_with calls __enter__() directly, bypassing the dunder check.
5. Inside the with block, import subprocess and execute arbitrary commands - achieves RCE.
# Impact
- Full Remote Code Execution on the host system.
- The exploit payload is natural-looking Python (class definition + with statement) - very easy for LLMs to generate under prompt injection.
- Any smolagents CodeAgent using default LocalPythonExecutor is vulnerable. |
|---|
| La source | ⚠️ https://gist.github.com/YLChen-007/d467594c1b7f2a9b6030b0b37b2736fe |
|---|
| Utilisateur | Eric-z (UID 95890) |
|---|
| Soumission | 11/03/2026 14:28 (il y a 19 jours) |
|---|
| Modérer | 27/03/2026 09:18 (16 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 353840 [huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with élévation de privilèges] |
|---|
| Points | 0 |
|---|