Nixpkgs security tracker
NIXPKGS-2026-0973
GitHub issue
published 2 months, 2 weeks ago
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
References
-
https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm x_refsource_CONFIRM
Affected products
lupa
- ==<= 2.6
Matching in nixpkgs
pkgs.python312Packages.lupa
None
pkgs.python313Packages.lupa
Lua in Python
pkgs.python314Packages.lupa
Lua in Python
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>