提交 #777644: HuggingFace smolagents 1.25.0.dev0 CWE-693信息

标题	HuggingFace smolagents 1.25.0.dev0 CWE-693
描述	# Technical Details A Sandbox Escape via with Statement Dunder Call Bypass exists in the evaluate_with() function in src/smolagents/local_python_executor.py (lines 1246-1251) of smolagents. This is an incomplete fix for CVE-2025-9959. The CVE-2025-9959 fix added dunder method call checks in evaluate_call (lines 910-917), but evaluate_with calls __enter__() and __exit__() directly on context manager objects using Python's native method calling, completely bypassing evaluate_call. A user-defined class with a malicious __enter__ method can use the generator frame escape primitive (gi_frame.f_locals) to mutate authorized_imports and import dangerous modules. # Vulnerable Code File: src/smolagents/local_python_executor.py (lines 1246-1251) Method: evaluate_with() Why: Calls context_expr.__enter__() and context_expr.__exit__() directly using Python's native method dispatch instead of routing through evaluate_call, completely bypassing the dunder call check. File: src/smolagents/local_python_executor.py (lines 1257-1262) Method: evaluate_with() (exit path) Why: __exit__() is also called directly, not through evaluate_call. File: src/smolagents/local_python_executor.py (lines 910-917) Method: evaluate_call() Why: Contains the dunder check that should block __enter__/__exit__ calls, but evaluate_with bypasses it entirely. # Reproduction 1. Install smolagents (pip install smolagents). 2. Create a LocalPythonExecutor instance. 3. Define a class with a malicious __enter__ method that uses gi_frame.f_locals to mutate authorized_imports and append "subprocess". 4. Use the class in a with statement - evaluate_with calls __enter__() directly, bypassing the dunder check. 5. Inside the with block, import subprocess and execute arbitrary commands - achieves RCE. # Impact - Full Remote Code Execution on the host system. - The exploit payload is natural-looking Python (class definition + with statement) - very easy for LLMs to generate under prompt injection. - Any smolagents CodeAgent using default LocalPythonExecutor is vulnerable.
来源	⚠️ https://gist.github.com/YLChen-007/d467594c1b7f2a9b6030b0b37b2736fe
用户	Eric-z (UID 95890)
提交	2026-03-11 14時28分 (19 日前)
管理	2026-03-27 09時18分 (16 days later)
状态	重复
VulDB条目	353840 [huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with 权限提升]
积分	0

◂ 上一步一览下一步 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!