Key Information Vulnerability Overview Vulnerability Type: Arbitrary Code Execution Vulnerability Description: A flaw exists in the recipe processing logic of , caused by insecure evaluation of recipe selectors, leading to arbitrary code execution. CVE ID: CVE-2023-32798 Severity: High Affected and Fixed Versions Affected Versions: <=25.3.2 Fixed Versions: 25.4.0 Vulnerability Details Root Cause: uses the function to process recipe selectors embedded in meta.yaml files, without proper sanitization mechanisms, allowing arbitrary code execution during the build process. Risk: Attackers can exploit malicious recipe selectors to create execution paths, compromising the integrity of the build environment and executing unauthorized commands or file operations. PoC Example Method: Execute arbitrary code using a recipe file containing a malicious recipe selector. Command: Output: Root Cause Analysis Problematic Code: Insecure handling of recipe selectors by directly evaluating user-defined expressions using the function. Developer Awareness: TODO comments in the source code indicate that the development team was aware of the potential risk of arbitrary code execution. Recommended Mitigation Eliminate Use of : Replace with a secure custom parser capable of safely interpreting selector expressions, restricting evaluation to predefined operations, and preventing arbitrary code execution.