-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability exists in the python-future library, specifically within the future.standard_library module. The root cause is an unconditional import of a module named test within the install_aliases function. This function is intended to create aliases for Python 3 standard library modules in a Python 2 environment.
The line import test does not specify a fully qualified path, causing Python to search for test.py in the directories listed in sys.path. If an attacker has write permissions to any of these directories, they can create a malicious test.py file. When the future library is initialized by calling install_aliases() or install_hooks(), the attacker's file will be imported and its code executed, leading to arbitrary code execution.
This is particularly dangerous in environments where file uploads are allowed, as an attacker could potentially place the malicious test.py in a location that is part of the application's execution path. The vulnerability is present in version 1.0.0 of the future package, and no patch was released for this version; instead, users are advised to upgrade to a non-vulnerable version.
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| future | pip | = 1.0.0 |
Ongoing coverage of React2Shell