Missing authentication about dangerous API endpoints
The flaw is very simple, and it stems from the fact that an API endpoint is /api/v1/validate/code Missing authentication check and passing code to Python exec Function. However, it does not run exec Directly on the function, but on the function definition, this makes the function available to execute but not execute its code.
Therefore, Horizon3.AI researchers had to propose an alternative method of exploitation, utilizing a Python feature called Decorator, which “is a return function that contains other functions.”
The proof of concept released by Horizon3.AI on April 9 uses decorators to enable remote code execution, but the researchers noted that third-party researchers also achieved the same implementation by abusing another feature of Python functions, called the default parameter.
