Key Information Vulnerability Type: CWE-94 Code Injection Affected Function: Description: - This code is vulnerable to CWE-94 Code Injection. The function is intended to execute user-provided code in what appears to be a secure environment, but it directly uses the function to run string-based code. - An attacker can craft malicious code as input to the string. Since the function runs the provided code within a defined namespace that includes several critical libraries (such as , , , etc.), the attacker may access and manipulate these libraries to perform unauthorized operations, such as reading sensitive files, modifying system configurations, or executing malicious network activities. Exploitation Method: - Attackers can exploit this vulnerability by leveraging libraries available in the existing namespace. For example, if the library is accessible, attackers can attempt to access the underlying system via the library’s file reading capabilities. - Supply the following malicious code as the parameter when calling the function: - The attacker uses ' function to read the file. If successful, the file content is converted into a tab-separated string and stored in the variable. When the function executes the provided code, the attacker can retrieve the contents of via the return value, thereby obtaining sensitive system information without direct access to the module. Impact Scope: - All code versions since commit are affected. - All versions from v0.1.0 to v0.1.4. - The latest main branch also contains this vulnerability. Mitigation Measures: - Some workarounds have been added to address the issue, but a complete fix will not be implemented, as this codebase is intended to run in a Docker environment, which significantly reduces potential security risks. - A SECURITY section has been added to the README to make users more aware of this vulnerability.