提出 #777643: HuggingFace smolagents 1.25.0.dev0 CWE-693情報

タイトル	HuggingFace smolagents 1.25.0.dev0 CWE-693
説明	# Technical Details A Sandbox Escape via Allowed Dunder Method (__str__/__repr__) Abuse exists in the evaluate_call() function in src/smolagents/local_python_executor.py (lines 910-917) of smolagents. This is an incomplete fix for CVE-2025-9959. The CVE-2025-9959 fix introduced ALLOWED_DUNDER_METHODS at line 61, which explicitly allows __init__, __str__, and __repr__ dunder methods to be called. However, user-defined classes can implement malicious __str__ or __repr__ methods that perform sandbox escape using the generator frame escape primitive (gi_frame.f_locals) to mutate authorized_imports and then import dangerous modules like os. Calling str() on such an object triggers RCE. # Vulnerable Code File: src/smolagents/local_python_executor.py (line 61) Definition: ALLOWED_DUNDER_METHODS = ["__init__", "__str__", "__repr__"] Why: __str__ and __repr__ are allowlisted, but user-defined classes can implement them with arbitrary malicious code bodies. File: src/smolagents/local_python_executor.py (lines 910-917) Method: evaluate_call() Why: The dunder call check explicitly skips methods in ALLOWED_DUNDER_METHODS, so __str__ and __repr__ pass the check. User-defined __str__ can contain gi_frame.f_locals escape to mutate authorized_imports. # Reproduction 1. Install smolagents (pip install smolagents). 2. Create a LocalPythonExecutor instance. 3. Define a class with a malicious __str__ method that uses gi_frame.f_locals to mutate authorized_imports and append "os". 4. Call str(Evil()) - this is allowed because __str__ is in ALLOWED_DUNDER_METHODS. 5. Import os and execute arbitrary commands - achieves RCE. # Impact - Full Remote Code Execution on the host system. - Simplest exploit payload of all variants - just 8 lines of natural-looking Python. - The str() pattern is common in normal Python, making it easy for LLMs to be tricked via prompt injection.
ソース	⚠️ https://gist.github.com/YLChen-007/35b7d46e892266a0ed6dbe57802858be
ユーザー	Eric-z (UID 95890)
送信	2026年03月11日 14:26 (20 日 ago)
モデレーション	2026年03月27日 09:18 (16 days later)
ステータス	重複
VulDBエントリ	353840 [huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with 特権昇格]
ポイント	0

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!