Superduper Project Remote Code Execution Vulnerability in Query Parsing Component

A critical remote code execution vulnerability has been identified in the superduper project, affecting versions through v0.10.0. The issue arises in the query parsing component, specifically within the _parse_op_part() function in query.py. This function improperly uses eval() to evaluate user-supplied query operands, lacking adequate sanitization or restrictions. While an attempt is made to limit the execution context by providing a restricted global namespace, access to dangerous built-in functions is not blocked. As a result, a remote attacker could exploit this vulnerability by sending a crafted query string that includes Python code capable of importing modules, such as os, and executing arbitrary system commands, potentially leading to a complete compromise of the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the same context as the application.