Description
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the use of Python’s eval() within the _parse_op_part() function of the superduper query parser. Because the function does not fully restrict the execution environment, an attacker can embed arbitrary Python expressions, including imports of modules such as os, that execute system commands. The flaw permits the remote execution of code with the privileges of the server process, enabling a complete compromise of the host when a malicious query is submitted.

Affected Systems

All releases of the open‑source SuperDuper project up to and including version 0.10.0 are affected. Any deployment that exposes the query interface provided by the repository is vulnerable. The issue is not tied to any commercial vendor; it originates entirely from the project's code base.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability carries a high severity rating, and its EPSS score is reported as below 1%, indicating that exploitation is not widely observed but still possible. The vulnerability is not listed in the CISA KEV catalog. An attacker who can reach the query parsing endpoint can supply a crafted query string that triggers the unsafe eval, giving them full remote code execution capability on the server.

Generated by OpenCVE AI on May 13, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade superduper to a version where the eval vulnerability is fixed (for example v0.11.0 or newer) — this resolves the unsafe dynamic evaluation flaw.
  • Restrict access to the query endpoint to authenticated and trusted users, or disable it entirely for untrusted traffic; this limits risk of CWE-94 (code injection) exploitation.
  • Replace the eval-based parsing logic with a safe, validated query language that does not evaluate arbitrary code, thereby preventing future code injection.
  • Place the query API behind a firewall or network segment to reduce exposure to potential attackers, adding an extra layer against remote code execution.

Generated by OpenCVE AI on May 13, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2799-6g5r-mmc7 Superduper: Remote code execution via unsafe eval in superduper query parsing
History

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Critical Remote Code Execution in SuperDuper Query Parser

Wed, 13 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsafe Eval in superduper Query Parser
Weaknesses CWE-95

Wed, 13 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Superduper-io
Superduper-io superduper
Vendors & Products Superduper-io
Superduper-io superduper

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsafe Eval in superduper Query Parser
Weaknesses CWE-94
CWE-95

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.
References

Subscriptions

Superduper-io Superduper
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:04:44.955Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31225

cve-icon Vulnrichment

Updated: 2026-05-13T13:01:45.707Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:14.430

Modified: 2026-05-13T15:52:25.637

Link: CVE-2026-31225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses