CVE-2024-9287
HIGHCPython < 3.9.21 - Command Injection via Unquoted Path in venv Module
Title source: llmDescription
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
References (12)
Core 12
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250425-0006/
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/124651
Issue Tracking, Patch patch
https://github.com/python/cpython/pull/124712
Vendor Advisory vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
Scores
CVSS v3
7.8
EPSS
0.0065
EPSS Percentile
46.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-428
CWE-77
Status
published
Products (2)
python/python
3.14.0 alpha1
python/python
< 3.9.21
Published
Oct 22, 2024
Tracked Since
Feb 18, 2026