Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nN3Z2LTJ2N3gtZ2o5cM4AA7v0

tqdm CLI arguments injection attack

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in tqdm>=4.66.3

Workarounds

None

References

Permalink: https://github.com/advisories/GHSA-g7vv-2v7x-gj9p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nN3Z2LTJ2N3gtZ2o5cM4AA7v0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 7 months ago
Updated: 6 months ago


CVSS Score: 3.9
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-g7vv-2v7x-gj9p, CVE-2024-34062
References: Repository: https://github.com/tqdm/tqdm
Blast Radius: 20.0

Affected Packages

pypi:tqdm
Dependent packages: 11,524
Dependent repositories: 136,364
Downloads: 126,741,510 last month
Affected Version Ranges: >= 4.4.0, < 4.66.3
Fixed in: 4.66.3
All affected versions: 4.4.0, 4.4.1, 4.4.3, 4.5.0, 4.5.2, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.7.4, 4.7.6, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.9.0, 4.10.0, 4.11.0, 4.11.1, 4.11.2, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.17.1, 4.18.0, 4.19.1, 4.19.2, 4.19.4, 4.19.5, 4.19.6, 4.19.7, 4.19.8, 4.19.9, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.28.1, 4.29.0, 4.29.1, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.32.1, 4.32.2, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.36.1, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.40.1, 4.40.2, 4.41.0, 4.41.1, 4.42.0, 4.42.1, 4.43.0, 4.44.0, 4.44.1, 4.45.0, 4.46.0, 4.46.1, 4.47.0, 4.48.0, 4.48.1, 4.48.2, 4.49.0, 4.50.0, 4.50.1, 4.50.2, 4.51.0, 4.52.0, 4.53.0, 4.54.0, 4.54.1, 4.55.0, 4.55.1, 4.55.2, 4.56.0, 4.56.1, 4.56.2, 4.57.0, 4.58.0, 4.59.0, 4.60.0, 4.61.0, 4.61.1, 4.61.2, 4.62.0, 4.62.1, 4.62.2, 4.62.3, 4.63.0, 4.63.1, 4.63.2, 4.64.0, 4.64.1, 4.65.0, 4.65.1, 4.65.2, 4.66.0, 4.66.1, 4.66.2
All unaffected versions: 2.0.0, 2.2.3, 2.2.4, 3.1.3, 3.1.4, 3.4.0, 3.7.0, 3.7.1, 3.8.0, 4.1.0, 4.66.3, 4.66.4, 4.66.5, 4.66.6, 4.67.0, 4.67.1