GHSA-VP22-38M5-R39R
Vulnerability from github – Published: 2026-04-16 01:09 – Updated: 2026-04-16 01:09Summary
The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in PluginSecurity.validate_plugin_code is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed.
Details
The validator maintains a set called fatal_calls that enumerates explicitly forbidden function names and attribute access patterns such as eval, exec, os.system, and subprocess.Popen. However, this approach relies on an exhaustive blocklist of known-dangerous identifiers, which is inherently incomplete.
The following bypass techniques are not detected by the current implementation:
importlib.import_module is not in fatal_calls and is not treated as a dangerous module, so it can be used to load os, subprocess, or any other module at runtime without triggering the validator.
Dynamic attribute chains using __class__.__mro__ and related dunder attributes allow traversal of the class hierarchy to reach arbitrary built-in functions without naming them directly in the source.
ctypes is not blocked and can be used to call native library functions including system.
__builtins__ dictionary access exposes all built-in callables without using the names that the validator checks.
types.CodeType allows construction and execution of raw code objects.
The alias resolution in the AST visitor only handles simple import X as Y cases, so aliased imports of blocked modules evade detection, and transitive imports through unblocked modules are never examined.
Because the validator produces a pass/fail result that gates plugin installation with the --trust flag, a bypass causes untrusted plugin code to execute with the full privileges of the PySpector process.
PoC
import textwrap, tempfile, os
evil_plugin = textwrap.dedent("""
import importlib
mod = importlib.import_module('os')
mod.system('id > /tmp/pwned')
""")
with tempfile.NamedTemporaryFile(suffix=".py", mode="w", delete=False) as f:
f.write(evil_plugin)
plugin_path = f.name
from pyspector.plugin_system import PluginSecurity
result = PluginSecurity.validate_plugin_code(plugin_path)
print("Validation passed:", result)
exec(compile(open(plugin_path).read(), plugin_path, "exec"))
print("Command output:", open("/tmp/pwned").read())
os.unlink(plugin_path)
Impact
Any user or process that can supply a plugin file to PySpector and invoke the plugin installation workflow can execute arbitrary operating system commands with the privileges of the PySpector process. The static analysis check provides a false sense of security, as it can be circumvented trivially using standard library modules that are present in every Python installation. All versions of PySpector that include the plugin system are affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.7"
},
"package": {
"ecosystem": "PyPI",
"name": "pyspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T01:09:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed.\n\n### Details\n\nThe validator maintains a set called `fatal_calls` that enumerates explicitly forbidden function names and attribute access patterns such as eval, exec, `os.system`, and `subprocess.Popen`. However, this approach relies on an exhaustive blocklist of known-dangerous identifiers, which is inherently incomplete.\n\nThe following bypass techniques are not detected by the current implementation:\n\n`importlib.import_module` is not in `fatal_calls` and is not treated as a dangerous module, so it can be used to load os, subprocess, or any other module at runtime without triggering the validator.\n\nDynamic attribute chains using `__class__.__mro__` and related dunder attributes allow traversal of the class hierarchy to reach arbitrary built-in functions without naming them directly in the source.\n\nctypes is not blocked and can be used to call native library functions including system.\n\n`__builtins__` dictionary access exposes all built-in callables without using the names that the validator checks.\n\n`types.CodeType` allows construction and execution of raw code objects.\n\nThe alias resolution in the AST visitor only handles simple import X as Y cases, so aliased imports of blocked modules evade detection, and transitive imports through unblocked modules are never examined.\n\nBecause the validator produces a pass/fail result that gates plugin installation with the --trust flag, a bypass causes untrusted plugin code to execute with the full privileges of the PySpector process.\n\n### PoC\n\n```python\nimport textwrap, tempfile, os\n\nevil_plugin = textwrap.dedent(\"\"\"\nimport importlib\nmod = importlib.import_module(\u0027os\u0027)\nmod.system(\u0027id \u003e /tmp/pwned\u0027)\n\"\"\")\n\nwith tempfile.NamedTemporaryFile(suffix=\".py\", mode=\"w\", delete=False) as f:\n f.write(evil_plugin)\n plugin_path = f.name\n\nfrom pyspector.plugin_system import PluginSecurity\n\nresult = PluginSecurity.validate_plugin_code(plugin_path)\nprint(\"Validation passed:\", result)\n\nexec(compile(open(plugin_path).read(), plugin_path, \"exec\"))\n\nprint(\"Command output:\", open(\"/tmp/pwned\").read())\nos.unlink(plugin_path)\n```\n\n### Impact\n\nAny user or process that can supply a plugin file to PySpector and invoke the plugin installation workflow can execute arbitrary operating system commands with the privileges of the PySpector process. The static analysis check provides a false sense of security, as it can be circumvented trivially using standard library modules that are present in every Python installation. All versions of PySpector that include the plugin system are affected.",
"id": "GHSA-vp22-38m5-r39r",
"modified": "2026-04-16T01:09:17Z",
"published": "2026-04-16T01:09:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r"
},
{
"type": "PACKAGE",
"url": "https://github.com/ParzivalHack/PySpector"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.