CVE-2026-33139
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
PySpector versions <= 0.1.6 are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded.
Impact
An attacker who can deliver a malicious plugin file to a PySpector user and convince them to install it, can achieve arbitrary code execution on the user's local machine. Exploitation requires the victim to explicitly run pyspector plugin install --trust on the malicious file (a deliberate multi-step action that meaningfully limits the attack surface compared to passive vulnerabilities). However, the bypass directly undermines the security guarantee that validate_plugin_code() is designed to provide. Once the plugin is trusted and executed, the following is achievable:
- Full read/write access to the local filesystem
- Exfiltration of sensitive data and environment variables (i.e. API keys, credentials, etc...)
- Establishment of persistence mechanisms
- Lateral movement in CI/CD environments where PySpector runs with elevated permissions (pre-commit hooks and scheduled scans)
Any user of PySpector who installs third-party plugins outside the official repository is potentially affected.
PoC
The following steps reproduce the vulnerability on PySpector <= 0.1.6:
- Create a malicious plugin file that uses getattr-based indirect calls to bypass AST validation, and confirm the validator incorrectly marks it as safe:
<img width="1300" height="675" alt="image" src="https://github.com/user-attachments/assets/4de3a0d1-1c77-4454-ad10-2369d5ca9997" />
- Run PySpector Plugin Validator module (this confirms the validator incorrectly marks the plugin as safe):
<img width="908" height="239" alt="image" src="https://github.com/user-attachments/assets/3e3b9603-4d95-4a39-be97-4163f6639599" />
- Install and trust the plugin through the normal PySpector workflow:
pyspector plugin install /tmp/evil_plugin.py --trust
- Execute the plugin, during a scan:
pyspector scan /any/target --plugin evil
AnalysisAI
PySpector versions 0.1.6 and earlier contain a security validation bypass in the plugin system that allows arbitrary code execution. The validate_plugin_code() function fails to detect dangerous API calls when invoked indirectly via getattr(), allowing malicious plugins to execute system commands. A public proof-of-concept exploit exists demonstrating the bypass, and while exploitation requires user interaction (installing and trusting a malicious plugin), successful exploitation grants full system access including filesystem manipulation, credential theft, and persistence mechanisms.
Technical ContextAI
PySpector is a Python security analysis tool distributed via pip (pkg:pip/pyspector) that implements a plugin architecture with security validation. The vulnerability is rooted in CWE-184 (Incomplete List of Disallowed Inputs), where the AST-based code validator's resolve_name() helper function only handles ast.Name and ast.Attribute node types. When plugin code uses indirect function references through getattr() calls (e.g., getattr(os, 'system')), the outer call generates an ast.Call node type, causing resolve_name() to return None and bypass the security check entirely. This validation gap allows arbitrary Python code execution within the context of PySpector's runtime environment, defeating the entire trust model of the plugin system.
RemediationAI
Upgrade PySpector to a version newer than 0.1.6 once a patched release becomes available; monitor the GitHub repository at https://github.com/ParzivalHack/PySpector and the security advisory at https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-v3xv-8vc3-h2m6 for patch announcements. Until patching is possible, organizations should implement strict controls around plugin sources by only installing plugins from the official PySpector repository, manually reviewing all third-party plugin code before installation regardless of validation results, and restricting the use of the --trust flag to administrator-vetted plugins only. In high-security environments, consider disabling the plugin system entirely or running PySpector in sandboxed containers with minimal filesystem and network access to limit the blast radius of potential exploitation.
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v3xv-8vc3-h2m6