CVE-2025-46725: Python Eval Empty Globals False Sandbox
Calling eval() with an empty globals dict ({}) is NOT a sandbox. Python expressions can reach __builtins__ via attribute traversal (e.g. (df).__class__.__mro__[-1].__subclasses__()...__init__.__globals__ ['__builtins__']['__import__']('os').system(...)) on any reachable object, enabling arbitrary code execution. If the evaluated expression is untrusted (e.g.
greprules fetch cve-2025-46725-python-eval-empty-globals-false-sandbox --engine opengrepDescription
Calling eval() with an empty globals dict ({}) is NOT a sandbox. Python expressions can reach __builtins__ via attribute traversal (e.g. (df).__class__.__mro__[-1].__subclasses__()...__init__.__globals__ ['__builtins__']['__import__']('os').system(...)) on any reachable object, enabling arbitrary code execution. If the evaluated expression is untrusted (e.g.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.