7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-26145

GHSA ID

GHSA-8mjr-6c96-39w8

EPSS Score

0.81503%

CWE

CWE-77

Published

9/28/2023

Updated

10/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-26145

CVE-2023-26145: pydash Command Injection vulnerability

This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.

Note:

The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:

The source object (argument 1) is not a built-in object such as list/dict (otherwise, the init.globals path is not accessible)
The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)

The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-26145

GHSA ID

GHSA-8mjr-6c96-39w8

EPSS Score

0.81503%

CWE

CWE-77

Published

9/28/2023

Updated

10/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pydash	pip	< 6.0.0	6.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly names both functions as entry points. The root cause lies in their handling of dotted paths to access internal class attributes (like init.globals). The GitHub commit adds key restrictions in path resolution helpers (_base_get_object/base_set), which these functions utilize. Tests confirm restrictions target dunder method access. While helpers.py contains the patched logic, the exposed vulnerability manifests through the invoke() and invoke_map() API methods that consume attacker-controlled paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts v*rsions o* t** p**k*** py**s* ***or* *.*.*. * num**r o* py**s* m*t*o*s su** *s py**s*.o*j**ts.invok*() *n* py**s*.*oll**tions.invok*_m*p() ****pt *ott** p*t*s (***p P*t* Strin*s) to t*r**t * n*st** Pyt*on o*j**t, r*l*tiv* to t** ori*in*

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly n*m*s *ot* *un*tions *s *ntry points. T** root **us* li*s in t**ir **n*lin* o* *ott** p*t*s to ****ss int*rn*l *l*ss *ttri*ut*s (lik* __init__.__*lo**ls__). T** *it*u* *ommit ***s k*y r*stri*tions in p*t* r*

7.4

Basic Information

Concerned about an active attack path?

CVE-2023-26145: pydash Command Injection vulnerability

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI