AIKIDO-2024-10275
statsmodels is vulnerable to Eval Injection
45
Medium Risk
This Affects:
statsmodelsTL;DR
Affected versions of the package are vulnerable to eval injection. The statsmodels library uses a string-based formula language from patsy. Suppose you have a formula like: "y ~ (a + b + c + d) ** 2" and create a template where you replace y with {y}. In this case the value that ends up in {y} in the final string is directly controlled by the user. It is quite easily exploitable as shown in the snippet below: > ipython IN [0]: import statsmodels.formula.api as smf In [1]: mod = smf.ols(formula="print('cucu')", data={}) cucu ... ValueError: negative dimensions are not allowed
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
statsmodels is vulnerable to Eval Injection in all versions.
How to fix this
There is no fix at the moment. Owners are laying the responsibility with the user. When you keep using this library, be very careful with the values you pass through the statsmodels library.
Reporter
Romain Slootmaekers
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant