python · python-statemachineCritical
python-statemachine 3.1.2: Arbitrary code execution via SCXML data expression eval
python-statemachine 3.1.2 evaluates <data expr="..."> attributes in SCXML documents using Python's eval(), allowing arbitrary code execution.
What changed
python-statemachine 3.1.2 evaluates <data expr="..."> attributes in SCXML documents using Python's eval(), allowing arbitrary code execution.
Who it affects
Any application that passes attacker-controlled SCXML content to SCXMLProcessor.
What to do today
Upgrade python-statemachine to a patched version or avoid processing untrusted SCXML content.
The trail
Collected→
Audited→
Written→
Published