CVERadar

CVE-2024-23346

Critical Severity

Materialsvirtuallab

SVRS

73/100

CVSSv3

7.8/10

EPSS

0.30046/1

CVE-2024-23346 allows for arbitrary code execution in the pymatgen library. This vulnerability stems from the unsafe use of eval() in the JonesFaithfulTransformation.from_transformation_str() method, before version 2024.2.20. Parsing untrusted input can lead to the execution of attacker-supplied code. Although the CVSS score is 7.8, the SOCRadar Vulnerability Risk Score (SVRS) of 73 indicates a high risk. This is due to observed activity, including active exploits being published. Organizations using vulnerable versions of pymatgen should immediately upgrade to version 2024.2.20. The availability of public exploits significantly increases the risk of exploitation, emphasizing the need for swift remediation to prevent potential system compromise and data breaches. The insecure use of eval() is a known dangerous practice and should be avoided.

TAGS

In The Wild

Exploit Avaliable

Exploit Available

VECTOR STRING

CVSS:3.1

AV:L

AC:L

PR:L

UI:N

S:U

C:H

I:H

A:H

PUBLICATION DATE2024-02-21

LAST MODIFIED2025-02-05

SOCRadar

AI Insight

Description:

CVE-2024-23346 is a critical vulnerability in Pymatgen, a Python library for materials analysis. It allows for arbitrary code execution due to insecure use of eval() when parsing untrusted input. The SVRS of 30 indicates a moderate level of urgency, but immediate action is still recommended.

Key Insights:

Exploitation in the Wild: This vulnerability is actively exploited by hackers, making it a high-priority threat.
High CVSS Score: The CVSS score of 9.3 indicates the severity of this vulnerability, highlighting the potential for significant impact.
CWE-77: This vulnerability falls under CWE-77 (Improper Neutralization of Script-Related HTML Tags in a Web Page), emphasizing the importance of proper input validation.
Threat Actors: Specific threat actors or APT groups exploiting this vulnerability have not been identified.

Mitigation Strategies:

Update Pymatgen: Upgrade to Pymatgen version 2024.2.20 or later to address this vulnerability.
Input Validation: Implement robust input validation mechanisms to prevent untrusted input from being processed by eval().
Use a Web Application Firewall (WAF): Deploy a WAF to filter and block malicious requests that may attempt to exploit this vulnerability.
Monitor for Suspicious Activity: Regularly monitor systems for any suspicious activity or unauthorized access that may indicate exploitation.

Additional Information:

The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning for this vulnerability.
Users with additional queries can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information.

Indicators of Compromise

No IOCs found for this CVE

Exploits

Title	Software Link	Date
Pymatgen 2024.1 - Remote Code Execution (RCE)	https ://pypi.org /project /pymatgen/	2025-04-15
MAWK0235/CVE-2024-23346	https://github.com/MAWK0235/CVE-2024-23346	2024-12-09
szyth/CVE-2024-23346-rust-exploit	https://github.com/szyth/CVE-2024-23346-rust-exploit	2025-02-25
Sanity-Archive/CVE-2024-23346	https://github.com/Sanity-Archive/CVE-2024-23346	2025-02-20

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-23346 | materialsproject pymatgen prior 2024.2.20 from_transformation_str command injection

vuldb.com2025-02-06

CVE-2024-23346 | materialsproject pymatgen prior 2024.2.20 from_transformation_str command injection | A vulnerability was found in materialsproject pymatgen. It has been rated as critical. Affected by this issue is the function from_transformation_str. The manipulation leads to command injection. This vulnerability is handled as CVE-2024-23346. The attack needs to be approached locally. There is no exploit available. It is recommended

vuldb.com

rss

forum

news

Social Media

Fidjo la koka

@fidjolakoka

2025-01-08

CVE-2024-23346 found and disclosed by William Khem-Marquez

Affected Software

Configuration 1

Type	Vendor	Product
App	Materialsvirtuallab	pymatgen

References

Reference	Link
[email protected]	https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
[email protected]	https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
[email protected]	https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
GITHUB	https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
AF854A3A-2127-422B-91AE-364DA2661108	https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
AF854A3A-2127-422B-91AE-364DA2661108	https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
AF854A3A-2127-422B-91AE-364DA2661108	https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
AF854A3A-2127-422B-91AE-364DA2661108	https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
[email protected]	https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
[email protected]	https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
[email protected]	https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
GITHUB	https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f

CWE Details

CWE ID	CWE Name	Description
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence