Executive Intelligence Brief
A critical vulnerability has been identified in the python-statemachine library, affecting versions 3.0.0 to 3.1.2. This vulnerability, tracked as CVE-2026-47103, allows for arbitrary code execution due to the improper neutralization of directives in dynamically evaluated code, specifically through the evaluation of `` attributes in SCXML documents using Python's `eval()`. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.3, indicating a high severity. The affected library is widely used for managing state machines in Python applications, making this vulnerability particularly concerning for organizations that utilize this library. The recommended mitigation is to upgrade to version 3.2.0 or later.
Threat Overview
The python-statemachine library is a popular Python package used for creating and managing finite state machines. It supports SCXML (State Chart XML), a standard for state machine definition. The library's vulnerability lies in its handling of SCXML documents, specifically in the evaluation of `` attributes.
The vulnerability is rooted in the `SCXMLProcessor.parse_scxml_file()` method, which processes SCXML documents. When this method encounters a `` element with an `expr` attribute, it evaluates the expression using Python's built-in `eval()` function without any sandboxing or restrictions. This allows an attacker to inject arbitrary Python code, leading to potential code execution in the context of the hosting process.
Technical Deep Dive
Vulnerability Classification
This vulnerability is classified as CWE-95, Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). It occurs because the library uses `eval()` to evaluate expressions in SCXML documents without proper neutralization of directives.
The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a high severity score of 9.8.
Root Cause Analysis
The root cause of this vulnerability is the direct use of `eval()` on user-controlled input (the `expr` attribute in SCXML `` elements) without any form of validation or sandboxing. This allows attackers to inject malicious Python code.
Attack Vector & Chain
The attack vector involves providing a malicious SCXML document that contains a `` element with a crafted `expr` attribute. When the `SCXMLProcessor.parse_scxml_file()` method processes this document, it evaluates the expression, potentially leading to code execution.
The attack chain is as follows:
1. The attacker crafts a malicious SCXML document with a `` element containing an `expr` attribute that includes malicious Python code.
2. The attacker provides this document to the vulnerable application, either by uploading it, making it accessible remotely, or including it in a configuration file.
3. The application processes the SCXML document using `SCXMLProcessor.parse_scxml_file()`.
4. The `eval()` function is called on the malicious expression, executing the attacker's code.
Exploitation Scenario Walkthrough
Scenario: Remote Code Execution via Malicious SCXML Document
1. Reconnaissance: An attacker discovers that a target application uses the vulnerable version of python-statemachine and is accessible remotely.
2. Weaponization: The attacker crafts a malicious SCXML document with a `` element containing an `expr` attribute that, when evaluated, creates a file on the server or executes a command.
3. Delivery & Exploitation: The attacker sends the malicious SCXML document to the target application, which processes it using `SCXMLProcessor.parse_scxml_file()`. This triggers the evaluation of the malicious expression, leading to code execution.
4. Post-Exploitation: The attacker may use the initial code execution to escalate privileges, move laterally within the network, or establish a persistent presence.
5. Impact Realization: The attacker achieves their goal, which could range from data exfiltration to ransomware deployment, depending on their objectives.
Exploitation in the Wild
There is no indication that this vulnerability is currently being actively exploited in the wild. However, given its high severity and the potential for remote code execution, it is likely to attract significant attention from attackers.
Impact Analysis
Direct Impact
The direct impact of this vulnerability is arbitrary code execution in the context of the hosting process. This can lead to a range of outcomes, including but not limited to:
- Remote code execution (RCE)
- Privilege escalation
- Data exfiltration
- Denial of Service (DoS)
Downstream & Cascading Effects
The downstream effects of this vulnerability can be significant, especially if the affected application has a high privilege level or is exposed to the internet. Potential cascading effects include:
- Supply chain compromise
- Lateral movement within the network
- Data breaches
- Regulatory implications
Affected Products & Versions
The python-statemachine library versions 3.0.0 to 3.1.2 are affected. The vulnerability is fixed in version 3.2.0.
Detection & Threat Hunting
Indicators of Compromise
Indicators of compromise (IoCs) may include:
- Unusual files or changes to the file system
- Unexpected network communications
- Anomalies in application behavior
- Suspicious process execution
Detection Rules & Signatures
Detection logic may involve monitoring for:
- Suspicious SCXML documents being processed
- Anomalous use of `eval()` or other dynamic evaluation functions
- Unusual privilege escalation or code execution patterns
Relevant MITRE ATT&CK techniques include T1003 (OS Credential Dumping), T1059 (Command and Scripting Interpreter), and T1204 (User Data).
Threat Hunting Queries
Threat hunting queries may involve searching for:
- Recent changes to SCXML documents or other configuration files
- Unusual patterns of `eval()` usage
- Processes running with elevated privileges
Remediation & Hardening
Immediate Actions (0-24 hours)
1. **Upgrade to version 3.2.0 or later**: This is the most straightforward and effective mitigation.
2. **Restrict access to SCXML document processing**: Limit the ability to process SCXML documents to trusted sources.
3. **Monitor for suspicious activity**: Implement monitoring to detect potential exploitation attempts.
Short-Term Hardening (1-7 days)
1. **Implement additional security controls**: Consider using a Web Application Firewall (WAF) or intrusion detection systems to monitor traffic and detect suspicious patterns.
2. **Enhance logging and monitoring**: Improve logging and monitoring to quickly detect and respond to potential security incidents.
Strategic Recommendations
1. **Regularly update dependencies**: Ensure all dependencies, including python-statemachine, are kept up to date.
2. **Use secure coding practices**: Avoid using `eval()` or similar functions with user-controlled input.
3. **Implement a robust security testing program**: Regularly test applications for vulnerabilities and address them promptly.
Analyst Assessment
Given the high severity of this vulnerability and its potential for remote code execution, it is likely that attackers will target applications using the affected versions of python-statemachine. Organizations should prioritize upgrading to version 3.2.0 or later and implement additional security controls to mitigate the risk of exploitation.