-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tqdm | pip | >= 4.4.0, < 4.66.3 | 4.66.3 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the cast function's unsafe use of eval() to process CLI arguments. The commit diff shows the original implementation used eval(typ + '("' + val + '")') for type conversion, which allowed executing arbitrary Python code through carefully crafted arguments. The patch replaced this with direct type conversions (int(), float(), etc.) and regex validation for 'chr' type, eliminating the eval-based injection vector. The function's role in argument parsing and direct modification in the security fix confirm its vulnerability.
Ongoing coverage of React2Shell