Skip to content

Security: eval() on user-defined lambda expressions in reduce step enables code injection #1595

Open
Open
Security: eval() on user-defined lambda expressions in reduce step enables code injection#1595
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Feb 18, 2026

Security Concern

The expression evaluation system uses Python's built-in eval() on user-defined lambda expressions from task definitions. While the rest of the evaluation system correctly uses simpleeval (safe), the lambda evaluation path uses unrestricted eval().

Vulnerable Code

File: src/agents-api/agents_api/common/utils/expressions.py (Lines 76-90)

# Check that all extra lambdas are valid
assert v.startswith("lambda "), "All extra lambdas must start with 'lambda'"

try:
    ast.parse(v)
except Exception as e:
    msg = f"Invalid lambda: {v}"
    raise ValueError(msg) from e

# Eval the lambda and add it to the extra lambdas
extra_lambdas[k] = eval(v)  # Full Python eval - unsafe

Why the Validation is Insufficient

The two checks (startswith("lambda") + ast.parse()) are trivially bypassable. ast.parse() only validates Python syntax, not safety. Any syntactically valid lambda passes:

lambda _result, _item: (__import__('os').system('id'))

This starts with "lambda", is valid Python, and executes arbitrary code.

Data Flow

  1. User defines a task with a map_reduce step containing a reduce expression
  2. In helpers.py:356, reduce is wrapped: f"lambda _result, _item: ({reduce})"
  3. In expressions.py:90, eval(v) executes with full Python eval

Recommended Fix

Since simpleeval is already used for all other expression evaluation, extend its use to lambda evaluation:

# Option 1: Use RestrictedPython
from RestrictedPython import compile_restricted
byte_code = compile_restricted(v, '<lambda>', 'eval')
extra_lambdas[k] = eval(byte_code)

# Option 2: AST allowlist
tree = ast.parse(v, mode='eval')
# Walk the AST and only allow safe node types (Compare, BoolOp, BinOp, etc.)
# Reject Call nodes to __import__, etc.

Note

I looked for a SECURITY.md or private vulnerability reporting channel but didn't find one. Consider enabling GitHub's private vulnerability reporting at Settings → Code security → Private vulnerability reporting.

Discovered during security audit by Lighthouse Research Project (https://lighthouse1212.com)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions