[CVE pending]

Sandboxing Python is notoriously difficult, the Python module "asteval" [CVE pending]

Sandboxing Python is notoriously difficult, the Python module "asteval" is no exception. Add to this the fact that a large set of numpy functions are exposed within the sandbox by default.
Versions <=1.06 are vulnerable.
This vuln has been disclosed to the maintainer, who closed the security advisory and has since pushed his own fix to master. A CVE is still pending. Publishing the vulnerability through this list will hopefully inform users that are running vulnerable versions.

========================================================================
Summary
========================================================================
An attacker who can pass input to the `asteval` library, when this is used with `numpy` functions in the symbol table (the default setting), can bypass restrictions and execute arbitrary code as the user who ran the python process.

========================================================================
Details
========================================================================
`numpy.ndarray` has an attribute `ctypes` (https://numpy.org/doc/stable/reference/generated/numpy.ndarray.ctypes.html#numpy.ndarray.ctypes).
This object is intended to support interfacing with the `ctypes` module. It has an undocumented attribute `_ctypes` which is a reference to the `ctypes` module, which exposes direct memory R/W primitives and interfaces to C libraries.

This attribute is not filtered via asteval's filter on attribute access, `safe_getattr`.

`asteval` adds a set of `numpy` functions to its symbol table by default. In: https://github.com/lmfit/asteval/blob/40c31962bbdfe1012aacca1892a8d9263a67258e/asteval/astutils.py#L506 (`use_numpy=True`)
The set of numpy functions which are added: https://github.com/lmfit/asteval/blob/40c31962bbdfe1012aacca1892a8d9263a67258e/asteval/astutils.py#L111-L157

Any of these numpy functions that provide the user with a reference to an instance of `numpy.ndarray` will expose a path to `ctypes`.
The most trivial of these is `numpy.array`, though with how much of a cornerstone of the `numpy` library this datatype is, there are abundant paths to the `numpy.ndarray`, to the point where removing all of them from `asteval` would be prohibitive to the added value of including the `numpy` module in the first place.

========================================================================
POC
========================================================================
```python
array([]).ctypes._ctypes.CDLL('libc.so.6').system(b"whoami")
```

========================================================================
Hashes of further zero-days in asteval
========================================================================
Here are a set of sha256sum-hashes of a series of as of yet unpublished vulnerabilities, which affect the latest version of asteval:
53af0c5634bbb95889163acedf139d847ff381561a4c908e9c3dc7fc04c4fae6
256eaf6b9825d4126d6b7247f6146fd44f0d54e4bf2238aedf05297cfb1b50c6
6c8d0e0b8909bca2f20547c91ab81a7ba6cb59b0ab7d71454e651e09196f4983

========================================================================
Discoverer
========================================================================
Ward Theunisse

========================================================================
History
========================================================================
Jan 31, 2025: Informed lmfit of vulnerability through github security advisories
Feb 20, 2025: Security advisory closed by lmfit
Feb 21, 2025: Fix published by lmfit
Mar 7, 2025: Public disclosure of vulnerability