Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses

Filter by:

With package: python313Packages.lupa

Found 1 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-34444

created 1 week, 4 days ago

Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

References

https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm x_refsource_CONFIRM

Affected products

lupa

==<= 2.6

Matching in nixpkgs

pkgs.python312Packages.lupa

Lua in Python

nixos-25.11 2.5
- nixos-25.11-small 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.python313Packages.lupa

Lua in Python

nixos-unstable 2.6
- nixpkgs-unstable 2.6
- nixos-unstable-small 2.6
nixos-25.11 2.5
- nixos-25.11-small 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.python314Packages.lupa

Lua in Python

nixos-unstable 2.6
- nixpkgs-unstable 2.6
- nixos-unstable-small 2.6

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>

1