Skip to content

[GHSA-5r2p-pjr8-7fh7] SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality#8696

Open
eddiegrau wants to merge 1 commit into
eddiegrau/advisory-improvement-8696from
eddiegrau-GHSA-5r2p-pjr8-7fh7
Open

[GHSA-5r2p-pjr8-7fh7] SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality#8696
eddiegrau wants to merge 1 commit into
eddiegrau/advisory-improvement-8696from
eddiegrau-GHSA-5r2p-pjr8-7fh7

Conversation

@eddiegrau

Copy link
Copy Markdown

Updates

  • Affected products

Comments
The affected-version range incorrectly includes SageMaker SDK v2. This advisory concerns Python built-in eval() in the v3 sagemaker.core.jumpstart.search.search_hub() implementation. The SageMaker v2.257.2 and v2.257.3 distributions do not contain that module or the search_hub() API; therefore they cannot reach the vulnerable code path. The affected range should begin with the SageMaker v3 release line: >= 3.0.0, < 3.4.0

@github

github commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Hi there @mufaddal-rohawala! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions Bot changed the base branch from main to eddiegrau/advisory-improvement-8696 July 13, 2026 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants