CVE-2024-34062
MEDIUMtqdm 4.4.0-4.66.2 - Remote Code Execution via CLI Argument Eval
Title source: llmDescription
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/
Vendor Advisory x_refsource_confirm
https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
Patch x_refsource_misc
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
Scores
CVSS v3
4.8
EPSS
0.0011
EPSS Percentile
28.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (2)
pypi/tqdm
4.4.0 - 4.66.3PyPI
tqdm/tqdm
>= 4.4.0, < 4.66.3
Published
May 03, 2024
Tracked Since
Feb 18, 2026