CVE-2024-23346

high-risk

Published 2024-02-21

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

Do I need to act?

48.5% chance of exploitation in next 30 days

EPSS score — higher than 52% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52205

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.3/10 Critical

LOCAL / LOW complexity

Affected Products (1)

Pymatgen

Affected Vendors

Materialsvirtuallab

References (7)

Broken Link https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/setti...

Patch https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd...

Exploit https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-...

Broken Link https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/setti...

Patch https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd...

Exploit https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-...

Exploit https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-librar...

/ 100

high-risk

Severity 28/34 · Critical

Exploitability 18/34 · Moderate

Exposure 5/34 · Minimal