CVE-2024-23346

CRITICAL

pymatgen < 2024.2.20 - Remote Code Execution via JonesFaithfulTransformation.from_transformation_str()

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2024-23346. PoCs published by Mohammed Idrees Banyamer, DAVIDAROCA27, 9carlo6.

AI-analyzed exploit summary This exploit leverages a Python code injection vulnerability in Pymatgen's CIF parser by embedding a reverse shell payload in a malicious CIF file. The payload abuses Python's class introspection to execute arbitrary commands when the file is parsed.

Description

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

Exploits (6)

exploitdb WORKING POC
by Mohammed Idrees Banyamer · pythonremotepython
https://www.exploit-db.com/exploits/52205

This exploit leverages a Python code injection vulnerability in Pymatgen's CIF parser by embedding a reverse shell payload in a malicious CIF file. The payload abuses Python's class introspection to execute arbitrary commands when the file is parsed.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pymatgen 2024.1
No auth needed
Prerequisites: Network connectivity to attacker-controlled IP/port · Victim must parse the malicious CIF file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by DAVIDAROCA27 · poc
https://github.com/DAVIDAROCA27/CVE-2024-23346-exploit

This repository contains a functional exploit for CVE-2024-23346, targeting a Remote Code Execution (RCE) vulnerability in the `pymatgen` library via a malicious CIF file upload. The exploit automates authentication, file upload, and command execution on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: pymatgen (CIF Analyzer)
Auth required
Prerequisites: Valid credentials for the target application · Network access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 4 stars
by 9carlo6 · poc
https://github.com/9carlo6/CVE-2024-23346

This repository contains a functional exploit for CVE-2024-23346, leveraging a malicious Crystallographic Information File (CIF) to achieve remote code execution (RCE) via Python code injection in the `_space_group_magn.transform_BNS_Pp_abc` field. The exploit targets a vulnerability in pymatgen, where arbitrary commands are executed when the CIF file is processed.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: pymatgen (specific version not specified)
No auth needed
Prerequisites: Access to a system processing malicious CIF files · Network connectivity to attacker-controlled server for reverse shell
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Sanity-Archive · poc
https://github.com/Sanity-Archive/CVE-2024-23346

This repository contains a functional exploit for CVE-2024-23346, which leverages a malicious CIF file upload to achieve remote code execution (RCE) via a Python type confusion vulnerability in pymatgen. The exploit includes authentication, file upload, and payload triggering mechanisms.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: pymatgen (specific version not specified)
Auth required
Prerequisites: Valid credentials for the target application · Network access to the target · Ability to upload files
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by MAWK0235 · poc
https://github.com/MAWK0235/CVE-2024-23346

This repository contains a functional exploit for CVE-2024-23346, leveraging a Python script to execute arbitrary commands on a vulnerable system. The exploit uses a crafted CIF file to trigger arbitrary code execution via Python's `__mro__` and `__subclasses__` manipulation, establishing a reverse shell to the attacker's machine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pymatgen CIF Parser (version not specified)
Auth required
Prerequisites: Valid credentials for the target system · Network connectivity to the target · Python 3.11 environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by szyth · poc
https://github.com/szyth/CVE-2024-23346-rust-exploit

This repository contains a functional Rust exploit for CVE-2024-23346, leveraging a code injection vulnerability in a web application to achieve remote command execution (RCE). The exploit authenticates, uploads a malicious CIF file with embedded payload, and establishes a reverse shell via netcat.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web application using Pymatgen CIF Parser)
Auth required
Prerequisites: Valid credentials for the target application · Network access to the target · Netcat or similar tool for reverse shell
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.3
EPSS 0.5929
EPSS Percentile 98.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (2)
materialsvirtuallab/pymatgen < 2024.2.20
pypi/pymatgen 0 - 2024.2.20PyPI
Published Feb 21, 2024
Tracked Since Feb 18, 2026