${eval:...} code execution via custom resolver in FlashAttention run.pyMITRE service request: 1988723
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration files to execute arbitrary Python code via the ${eval:…} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.
OmegaConf.register_new_resolver('eval', eval) exposes raw Python evaluation inside YAML/structured configs. Any untrusted .yaml passed to training/run.py can embed ${eval:...} expressions that invoke arbitrary Python (for example importing os and calling system), executed at Hydra initialization.
e724e2588cbe754beb97cf7c011b5e7e34119e62.@hydra.main decorated entry loading attacker-controlled YAML.eval mapped to built-in eval.oc.decode with strict schema.Critical — config-driven RCE is trivial to weaponize in CI.