AIKIDO-2026-11007
newrelic is vulnerable to Code Injection
80
High Risk
This Affects:
newrelicTL;DR
The New Relic Python agent parses instrumentation naming rules from its configuration file at startup. Before the fix, values beginning with lambda in background-task, database-trace, external-trace, function-trace, generator-trace, memcache-trace, profile-trace, and transaction-naming sections were passed to Python eval(), which can execute attacker-controlled code during configuration loading. An attacker who can modify the agent config file, deployment templates, or server-side agent settings can achieve arbitrary code execution in the agent process. The patch removes eval() support entirely and emits a deprecation warning when legacy lambda-prefixed values are encountered.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
newrelic is vulnerable to Code Injection in versions 2.0.0.1 - 12.1.0.
How to fix this
Upgrade the newrelic library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant