This security research document presents a comprehensive analysis of a sandbox escape vulnerability discovered in the HuggingFace smolagents library. The vulnerability, addressed in Pull Request #1551, allowed attackers to bypass Python interpreter sandboxing through dunder (double underscore) method invocation. This document provides an in-depth technical examination of the vulnerability, gadget chain construction methodology, exploitation techniques, and the implemented mitigation strategies.

1. Introduction and Background

1.1 Research Context

The smolagents library, developed by HuggingFace, provides a framework for building AI agents capable of executing Python code. A critical component of this framework is the LocalPythonExecutor, which implements a sandboxed Python interpreter designed to safely execute untrusted code generated by language models.

Sandbox implementations in Python face inherent challenges due to the language’s dynamic nature and extensive introspection capabilities. The vulnerability examined in this research demonstrates how subtle implementation gaps can lead to complete sandbox compromise.

1.2 Vulnerability Overview

1.3 Document Scope

This research covers:

• Technical analysis of Python’s object model as it relates to sandbox escapes

• Detailed vulnerability root cause analysis

• Gadget chain identification and construction methodology

• Working proof-of-concept exploitation

• Mitigation effectiveness evaluation

2. Python Object Model Fundamentals

2.1 Object Hierarchy in Python

Understanding Python’s object model is essential for comprehending how sandbox escapes function. Every object in Python exists within a class hierarchy that ultimately derives from the base object class.

The following code demonstrates traversing this hierarchy:

obj = ()
print(f'Object: {obj}')
print(f'Type: {type(obj)}')
print(f'Class: {obj.__class__}')
print(f'Bases: {obj.__class__.__bases__}')
print(f'Object base: {obj.__class__.__bases__[0]}')
print(f'Subclasses count: {len(object.__subclasses__())}')

Execution Output:

2.2 Dunder Methods and Attributes

Python uses double underscore (dunder) naming convention for special methods and attributes that control fundamental object behavior:

Read more

Product: PNETLab

Affected Version: 4.2.10

Severity: High

Vulnerability Details Description: A path traversal vulnerability has been identified in PNETLab version 4.2.10. The application fails to properly sanitize user input in its file access mechanisms. This allows an attacker to manipulate file paths in HTTP requests to access sensitive files outside of the intended directory.

Impact: Exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive files on the system, potentially leading to data breaches and system compromise.

Steps to Reproduce:

1. Identify a vulnerable PNETLab instance.

2. Craft a malicious HTTP request with a manipulated file path.

3. Send the request to the server to access files outside the authorized directory.

Reference:

• Path Traversal vulnerability in PNETLab - INCIBE

• CVE-2025-40629

• INCIBE-2025-0246

Product: NTFS Tool

Affected Version: 3.5.1

Severity: Medium

Vulnerability Details Description: A vulnerability has been identified in NTFS Tool version 3.5.1 due to the insecure storage of sensitive information (CWE-922). The application’s password is not securely stored, allowing an attacker to gain access to it.

Impact: Exploiting this vulnerability could allow an attacker with access to the system to retrieve the application password, potentially leading to unauthorized access and actions.

Steps to Reproduce:

1. Install NTFS Tool version 3.5.1.

2. Locate the configuration file at the specified path.

3. Access the file to retrieve the password.

4. Use the password to gain unauthorized access or control. Reference:

• Insecure storage of sensitive information in ntfs-tool - INCIBE

• CVE-2025-2489

• INCIBE-2025-0143

Product: Korenix JETIO 6550 switch

Affected Version: Not specified in the article, but the vulnerability is identified as CVE-2024-2371. Severity: Critical

Vulnerability Details Description: The Korenix JETIO 6550 switch has a critical vulnerability, CVE-2024-2371, related to its Simple Network Management Protocol (SNMP) implementation. This flaw arises from insufficient access controls, which allows unauthorized users to exploit SNMP to gain access to sensitive data. Impact: Exploitation of this vulnerability poses significant risks to industrial control systems (ICS) and critical infrastructure. An attacker can bypass authentication to retrieve sensitive data, including configuration details and network topology information. This could be used to gather intelligence for targeted attacks, disrupt operations, or manipulate systems.

Steps to Reproduce:

1. Identify a Korenix JETIO 6550 switch with the vulnerability.

2. Send crafted SNMP requests to bypass authentication.

3. Access and retrieve sensitive data from the system.

Reference:

• Korenix JETIO 6550 - CVE-2024-2371

• CVE-2024-2371

Product: GL.iNet GL-AX1800 router

Affected Version: Not specified in the article, but the vulnerability is identified as CVE-2023-47464. Severity: Critical

Vulnerability Details Description: A critical vulnerability, CVE-2023-47464, has been discovered in the GL.iNet GL-AX1800 router. This vulnerability is a result of multiple security flaws, including Cross-Site Request Forgery (CSRF), insecure file uploads, path traversal, file overwrite, and unrestricted file access. The combination of these flaws allows for various attacks, including Remote Code Execution (RCE). Impact: Exploiting these vulnerabilities can lead to unauthorized control over the router, data breaches, network compromise, privacy violations, and the distribution of malware. Attackers can upload malicious files, access restricted directories, and download sensitive information.

Steps to Reproduce:

1. Identify a vulnerable GL.iNet GL-AX1800 router.

2. Exploit vulnerabilities such as CSRF, insecure file uploads, or path traversal to gain unauthorized access.

3. Use the file overwrite and unrestricted file access flaws to achieve Remote Code Execution.

Reference:

• GL.iNet GL-AX1800 Critical Vulnerability CVE-2023-47464

• CVE-2023-47464

Product: Moxa ioLogik E1212

Affected Version: Firmware versions prior to the security patches

Severity: Critical

Vulnerability Details Description: A series of critical security vulnerabilities have been identified in the Moxa ioLogik E1212 series. These vulnerabilities include Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), cryptographic failures, and broken access control mechanisms. A major concern is the lack of default authentication, which makes the devices susceptible to unauthorized access and potential remote code execution.

Impact: These vulnerabilities pose a significant risk to industrial networks. Attackers can exploit them to bypass authentication, execute arbitrary commands, and manipulate device configurations. A successful exploit could lead to operational disruptions, data breaches, and safety risks in critical infrastructure.

Steps to Reproduce:

1. Identify a Moxa ioLogik E1212 device that is not running the latest firmware with security patches.

2. Exploit the lack of default authentication or other vulnerabilities to gain unauthorized access.

3. Execute arbitrary commands or manipulate the device’s configuration.

Reference:

• Moxa ioLogik E1212 Vulnerabilities

• Moxa security advisories and firmware updates.

Product: ntfstool
Affected Version: 3.5.1
Severity: High

Vulnerability Details

Description: A critical security vulnerability has been identified in ntfstool version 3.5.1. The vulnerability arises from the presence of a hardcoded password in the application’s configuration file. Specifically, the file /Users/user/Library/Application Support/ntfs-tool/config.json contains the field "sudoPwd": "toor", which stores the sudo password in plaintext. This allows potential attackers with access to the configuration file to gain unauthorized elevated privileges.

Read more

CVE-2024-23780 is a critical vulnerability identified in NetBox, a widely used open-source web application designed for managing and documenting computer networks. This vulnerability, if exploited, could lead to remote code execution, posing significant security risks to organizations utilizing NetBox for network automation and management.

Remote code execution vulnerabilities are particularly concerning as they allow attackers to execute arbitrary code on the target system, potentially compromising sensitive data, disrupting operations, or even gaining unauthorized access to the network infrastructure.

Read more

ADAudit Plus, a widely-used auditing and compliance tool developed by ManageEngine, is found to be vulnerable to an arbitrary directory traversal and file manipulation attack, assigned the CVE identifier CVE-2023-50438. This vulnerability exposes organizations to significant risks, potentially allowing attackers to execute malicious actions such as unauthorized access to sensitive files, data leakage, and even compromise of the entire system.

The vulnerability arises from inadequate input validation and sanitization in the search-archived-events/update-arch-index-settings endpoint of ADAudit Plus. This flaw enables authenticated attackers to manipulate the file path parameter, leading to arbitrary directory traversal and subsequent file manipulation on the server.

Read more

A critical security vulnerability has been discovered in the NetGear DGND3700 v2 router, identified as CVE-2023-51137. This vulnerability allows for remote code execution with directory traversal and authentication bypass, enabling attackers to read operating system files. By exploiting this flaw, attackers can circumvent authentication measures and traverse directories to execute arbitrary code remotely, potentially compromising the router’s security and integrity. This vulnerability poses a significant risk to affected devices as it allows attackers to gain unauthorized access and manipulate system files. NetGear DGND3700 v2 router users are strongly advised to apply patches provided by the vendor or implement mitigations to address this vulnerability promptly and protect their network infrastructure from exploitation.

Discovered by Hazard Lab.

A high-severity security vulnerability, CVE-2024-23780, has been identified in NetBox version 3.7.0, allowing an attacker to change a user’s password without requiring knowledge of the old password. This authentication bypass poses a significant risk, potentially leading to unauthorized access, account takeover, and compromise of sensitive information. The vulnerability arises from a lack of validation checks during the password change process in NetBox version 3.7.0. An attacker can exploit this weakness to change a user’s password without providing the old password, undermining the authentication mechanism and allowing for unauthorized access. The steps to reproduce the vulnerability include logging in to NetBox as an attacker, navigating to the password change functionality, changing the password for a target user account without providing the old password, verifying the successful password change, and logging in to the target user account using the new password. This remote attack vector could be exploited with an active session or by escalating XSS to steal the CSRF token.

The vulnerability was discovered by Hazard Lab.

A critical security vulnerability, CVE-2024-23778, has been identified in NetBox version 3.7.0, enabling Remote Code Execution (RCE) through the execution of arbitrary commands within authentication customization scripts. This vulnerability poses a severe risk as attackers can manipulate the customization script to execute malicious commands, potentially compromising the security and integrity of the application. The vulnerability arises from inadequate validation of user-provided input in authentication customization scripts, allowing attackers to inject and execute arbitrary commands, leading to unauthorized access, data manipulation, and potential compromise of the underlying system. The steps to reproduce the vulnerability include accessing the authentication customization functionality, injecting a malicious command into the customization script, saving the changes, triggering the execution of the script, and observing the successful execution of the injected command and potential compromise of the system. This remote attack vector could be exploited with just a username and password, underscoring the urgency of addressing this vulnerability.

A high-severity security vulnerability, CVE-2024-23777, has been discovered in Alt-N MDaemon version 23.5.1, specifically in its handling of public and shared folder names within the application. This vulnerability allows for Authentication Cross-Site Scripting (XSS) attacks through specially crafted folder names, potentially compromising the security of users interacting with these folders. The XSS vulnerability stems from a failure to properly sanitize user input when rendering folder names within the application. Attackers can exploit this weakness by injecting crafted HTML and JavaScript code into the folder names, leading to the execution of arbitrary scripts when users interact with these folders. The steps to reproduce the vulnerability include creating or renaming a public or shared folder, injecting the provided XSS payload into the folder name, and then accessing the folder through the application or sharing its link. This remote attack vector could be exploited to disclose sensitive information to unauthorized parties.

A high-severity security vulnerability, CVE-2024-23776, has been discovered in Alt-N MDaemon version 23.5.1, specifically in its handling of public and shared folder names within the application. This vulnerability allows for Authentication Cross-Site Scripting (XSS) attacks through specially crafted folder names, posing a significant risk to the security of users interacting with these folders. The vulnerability arises from a failure to properly sanitize user input when rendering folder names, enabling attackers to inject malicious HTML and JavaScript code. Consequently, when users interact with these folders, arbitrary scripts may execute, potentially leading to information disclosure and other malicious activities. The steps to reproduce the vulnerability include creating or renaming a public or shared folder, injecting the provided XSS payload into the folder name, and then accessing the folder through the application or sharing its link. This remote attack vector could be exploited to compromise the security of affected systems. Alt-N MDaemon users are strongly advised to upgrade to a patched version or implement mitigations to address this vulnerability promptly.

The NetBox version 3.7.0 has been identified with a cross-site scripting (XSS) vulnerability, assigned CVE-2024-0948. This vulnerability allows remote attackers to inject malicious scripts into web pages viewed by other users. Exploiting this flaw could lead to various attacks, including session hijacking, sensitive data theft, and website defacement. Users of NetBox version 3.7.0 are advised to upgrade to a patched version or apply mitigations to prevent exploitation of this vulnerability.

Discovered by Hazard Lab

The vulnerability discovered in ADAudit Plus allows an attacker to perform arbitrary directory traversal, enabling them to list files and folders from any path. This exploit involves manipulating the request parameters in the “folderTree” endpoint. By sending a crafted POST request with a modified “id” parameter, an attacker can bypass path restrictions using URL encoding, such as ‘\..\..\..’. This vulnerability poses a significant risk as it allows authenticated attackers to obtain a file list from any directory. It could potentially lead to unauthorized access and information disclosure.

Discovered by Hazard Lab.

Severity: High

Vulnerability Type: Local File Inclusion (LFI)

Affected System: Open Policy Agent (OPA) v0.60.0

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that enables fine-grained, context-aware policy enforcement across the entire stack. A critical security vulnerability has been identified in OPA version 0.60.0, allowing an attacker to perform Local File Inclusion (LFI) attacks through the opa parse command, leading to unauthorized access to sensitive files on the host system.

Read more

The vulnerability discovered in ADAudit Plus allows an attacker to execute arbitrary directory traversal and create files or folders. This exploit involves manipulating the indexing path within the “search-archived-events” section. By sending a crafted POST request with modified settings, an attacker can traverse directories and create files or folders at arbitrary locations. This poses a significant risk as it could be exploited by authenticated users to execute unauthorized actions.

Discovered by Hazard Lab.

Subscribe now