{"id":"PYSEC-2024-226","details":"Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.","aliases":["CVE-2024-23346","GHSA-vgv8-5cpj-qj2f"],"modified":"2026-02-05T14:15:03.126122Z","published":"2024-02-21T17:15:09Z","related":["GHSA-vgv8-5cpj-qj2f"],"references":[{"type":"ADVISORY","url":"https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f"},{"type":"EVIDENCE","url":"https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f"},{"type":"EVIDENCE","url":"https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346"},{"type":"FIX","url":"https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a"},{"type":"WEB","url":"https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346"}],"affected":[{"package":{"name":"pymatgen","ecosystem":"PyPI","purl":"pkg:pypi/pymatgen"},"ranges":[{"type":"GIT","repo":"https://github.com/materialsproject/pymatgen","events":[{"introduced":"0"},{"fixed":"c231cbd3d5147ee920a37b6ee9dd236b376bcf5a"},{"fixed":"c231cbd3d5147ee920a37b6ee9dd236b376bcf5a"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2024.2.20"}]}],"versions":["1.0.4","1.0.5","1.1.0","1.1.1","1.1.2","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.8","1.2.9","1.5.0","1.6.0","1.7.0","1.7.2","1.8.0","1.8.2","1.8.3","1.9.0","2.0.0","2.1.0","2.1.2","2.10.0","2.10.1","2.10.2","2.10.3","2.10.4","2.10.5","2.10.6","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.6","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.4.2","2.4.3","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.7.0","2.7.1","2.7.2b","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","2.8.0","2.8.1","2.8.10","2.8.2","2.8.3","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.1","2.9.10","2.9.11","2.9.12","2.9.13","2.9.14","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.9.7","2.9.8","2.9.9","2017.10.16","2017.11.27","2017.11.30","2017.11.6","2017.11.9","2017.12.15","2017.12.16","2017.12.30","2017.12.6","2017.12.8","2017.6.22","2017.6.24","2017.6.8","2017.7.21","2017.7.4","2017.8.14","2017.8.16","2017.8.20","2017.8.21","2017.8.4","2017.9.1","2017.9.23","2017.9.3","2018.1.19","2018.1.29","2018.10.18","2018.11.30","2018.11.6","2018.12.12","2018.2.13","2018.3.13","2018.3.14","2018.3.2","2018.3.23","2018.4.20","2018.4.6","2018.5.14","2018.5.21","2018.5.22","2018.5.3","2018.6.11","2018.6.27","2018.7.15","2018.7.23","2018.8.10","2018.8.7","2018.9.1","2018.9.12","2018.9.19","2018.9.30","2019.1.13","2019.1.24","2019.10.16","2019.10.2","2019.10.3","2019.10.4","2019.11.11","2019.12.22","2019.12.3","2019.2.24","2019.2.28","2019.2.4","2019.3.13","2019.3.27","2019.4.11","2019.5.1","2019.5.28","2019.5.8","2019.6.20","2019.6.5","2019.7.2","2019.7.21","2019.7.30","2019.8.14","2019.8.23","2019.9.12","2019.9.16","2019.9.7","2019.9.8","2020.1.10","2020.1.28","2020.10.20","2020.10.9","2020.10.9.1","2020.11.11","2020.12.18","2020.12.3","2020.12.31","2020.3.13","2020.3.2","2020.4.2","2020.4.29","2020.6.8","2020.7.10","2020.7.14","2020.7.16","2020.7.18","2020.7.3","2020.8.13","2020.8.3","2020.9.14","2021.2.13","2021.2.14","2021.2.16","2021.2.8","2021.2.8.1","2021.3.3","2021.3.4","2021.3.5","2021.3.9","2022.0.0","2022.0.1","2022.0.10","2022.0.11","2022.0.12","2022.0.13","2022.0.14","2022.0.15","2022.0.16","2022.0.17","2022.0.2","2022.0.3","2022.0.4","2022.0.5","2022.0.6","2022.0.7","2022.0.8","2022.0.9","2022.1.20","2022.1.24","2022.1.8","2022.1.9","2022.10.22","2022.11.1","2022.11.7","2022.2.1","2022.2.10","2022.2.7","2022.3.22","2022.3.24","2022.3.29","2022.3.7","2022.4.19","2022.4.26","2022.5.17","2022.5.18","2022.5.18.1","2022.5.19","2022.5.26","2022.7.19","2022.7.24","2022.7.24.1","2022.7.25","2022.7.8","2022.8.23","2022.9.21","2022.9.8","2023.1.20","2023.1.30","2023.1.9","2023.10.11","2023.10.3","2023.10.4","2023.11.10","2023.11.12","2023.12.18","2023.2.22","2023.2.28","2023.3.10","2023.3.23","2023.5.10","2023.5.31","2023.5.8","2023.6.23","2023.6.28","2023.7.11","2023.7.14","2023.7.17","2023.7.20","2023.8.10","2023.9.10","2023.9.2","2023.9.25","2024.1.26","2024.1.27","2024.2.8","3.0.0","3.0.1","3.0.10","3.0.11","3.0.12","3.0.13","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.10","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.4.0","3.5.0","3.5.1","3.5.2","3.5.3","3.6.0","3.6.1","3.7.0","3.7.1","4.0.0","4.0.1","4.0.2","4.1.0","4.1.1","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.10","4.4.11","4.4.12","4.4.2","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.5.0","4.5.1","4.5.2","4.5.3","4.5.4","4.5.5","4.5.6","4.5.7","4.6.0","4.6.1","4.6.2","4.7.0","4.7.1","4.7.2","4.7.3","4.7.4","4.7.5","4.7.6","4.7.7"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pymatgen/PYSEC-2024-226.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}