simpleeval
Behoben in
1.0.6
1.0.5
CVE-2026-32640 is a high-severity vulnerability affecting the SimpleEval Python library. This flaw allows attackers to leak potentially dangerous modules and functions through object access within the library's sandbox environment. Versions 1.0.0 through 1.0.4 are vulnerable, and a fix is available in version 1.0.5.
The impact of CVE-2026-32640 is significant, as it allows for complete remote code execution. An attacker can leverage this vulnerability to gain control of the affected system, potentially leading to data theft, system compromise, and further lateral movement within the network. The vulnerability stems from SimpleEval's insufficient validation of input objects. Specifically, if the names parameter contains objects with attributes that expose access to the operating system (e.g., os.path, shutil, numpy.ctypeslib.os), an attacker can chain these attributes to execute arbitrary commands. The discovery by @ByamB4 highlights the ease with which this can be achieved, demonstrating the potential for widespread exploitation.
CVE-2026-32640 was publicly disclosed on March 13, 2026. The vulnerability's simplicity and the widespread use of Python libraries make it a potential target for exploitation. While no public exploits have been confirmed at the time of writing, the ease of exploitation demonstrated by the researcher suggests a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity warrants monitoring. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Applications that utilize SimpleEval to evaluate user-provided expressions, particularly those deployed in environments where user input is not thoroughly validated, are at significant risk. This includes applications that dynamically generate code or configurations based on user input, as well as those that use SimpleEval for sandboxed scripting or evaluation of untrusted data.
• python / library:
import simpleeval
import inspect
# Check for vulnerable versions
import pkg_resources
version = pkg_resources.get_distribution('simpleeval').version
if version in ['1.0.0', '1.0.1', '1.0.2', '1.0.3', '1.0.4']:
print("Vulnerable SimpleEval version detected!")
# Inspect objects passed to SimpleEval for potentially dangerous attributes
# This is a simplified example and requires more robust analysis• generic web: Review application code that utilizes SimpleEval to identify potential injection points where malicious objects could be passed to the library.
disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-32640 is to upgrade to SimpleEval version 1.0.5 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing input validation to restrict the objects passed to SimpleEval. Specifically, whitelist allowed modules and attributes, preventing the use of potentially dangerous ones like os and sys. While a WAF is unlikely to directly mitigate this vulnerability, careful input sanitization within the application using SimpleEval could provide an additional layer of defense. After upgrading, confirm the fix by attempting to execute a SimpleEval expression with a known malicious object and verifying that it is properly blocked.
Aktualisieren Sie die SimpleEval-Bibliothek auf Version 1.0.5 oder höher, um die Vulnerability zu mindern. Diese Version behebt das Problem, indem verhindert wird, dass gefährliche Objekte in den Sandbox gelangen und unautorisierten Zugriff auf Funktionen und Module verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32640 is a high-severity vulnerability in SimpleEval versions 1.0.0 through 1.0.4 that allows attackers to leak dangerous modules and functions within the sandbox, potentially leading to code execution.
You are affected if you are using SimpleEval versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, or 1.0.4 in your Python applications.
Upgrade SimpleEval to version 1.0.5 or later to remediate the vulnerability. If upgrading is not immediately possible, implement strict input validation and sanitization.
As of now, there are no publicly available proof-of-concept exploits or confirmed reports of active exploitation, but it's crucial to apply the fix proactively.
Refer to the SimpleEval project's official repository or documentation for the latest security advisories and updates related to CVE-2026-32640.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.