提交 #777643: HuggingFace smolagents 1.25.0.dev0 CWE-693信息

标题	HuggingFace smolagents 1.25.0.dev0 CWE-693
描述	# Technical Details A Sandbox Escape via Allowed Dunder Method (__str__/__repr__) Abuse exists in the evaluate_call() function in src/smolagents/local_python_executor.py (lines 910-917) of smolagents. This is an incomplete fix for CVE-2025-9959. The CVE-2025-9959 fix introduced ALLOWED_DUNDER_METHODS at line 61, which explicitly allows __init__, __str__, and __repr__ dunder methods to be called. However, user-defined classes can implement malicious __str__ or __repr__ methods that perform sandbox escape using the generator frame escape primitive (gi_frame.f_locals) to mutate authorized_imports and then import dangerous modules like os. Calling str() on such an object triggers RCE. # Vulnerable Code File: src/smolagents/local_python_executor.py (line 61) Definition: ALLOWED_DUNDER_METHODS = ["__init__", "__str__", "__repr__"] Why: __str__ and __repr__ are allowlisted, but user-defined classes can implement them with arbitrary malicious code bodies. File: src/smolagents/local_python_executor.py (lines 910-917) Method: evaluate_call() Why: The dunder call check explicitly skips methods in ALLOWED_DUNDER_METHODS, so __str__ and __repr__ pass the check. User-defined __str__ can contain gi_frame.f_locals escape to mutate authorized_imports. # Reproduction 1. Install smolagents (pip install smolagents). 2. Create a LocalPythonExecutor instance. 3. Define a class with a malicious __str__ method that uses gi_frame.f_locals to mutate authorized_imports and append "os". 4. Call str(Evil()) - this is allowed because __str__ is in ALLOWED_DUNDER_METHODS. 5. Import os and execute arbitrary commands - achieves RCE. # Impact - Full Remote Code Execution on the host system. - Simplest exploit payload of all variants - just 8 lines of natural-looking Python. - The str() pattern is common in normal Python, making it easy for LLMs to be tricked via prompt injection.
来源	⚠️ https://gist.github.com/YLChen-007/35b7d46e892266a0ed6dbe57802858be
用户	Eric-z (UID 95890)
提交	2026-03-11 14時26分 (19 日前)
管理	2026-03-27 09時18分 (16 days later)
状态	重复
VulDB条目	353840 [huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with 权限提升]
积分	0

◂ 上一步一览下一步 ▸

Want to know what is going to be exploited?

We predict KEV entries!