CVE-2024-9287
📋 TL;DR
This vulnerability in CPython's venv module allows command injection when creating virtual environments with attacker-controlled path names. Attackers can execute arbitrary commands when users activate malicious virtual environments using 'source venv/bin/activate'. Only users who activate virtual environments created by attackers are affected.
💻 Affected Systems
- CPython
📦 What is this software?
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary command execution with the privileges of the user activating the virtual environment, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Limited command execution in development environments, potentially compromising developer workstations or CI/CD pipelines that use untrusted virtual environments.
If Mitigated
No impact if users only activate trusted virtual environments or use direct Python binary execution (./venv/bin/python).
🎯 Exploit Status
Exploitation requires the victim to create a virtual environment from attacker-controlled input and then activate it using 'source' command. The vulnerability is in the activation script generation, not in the activation itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CPython 3.12.9, 3.13.1, and 3.14.0a7
Vendor Advisory: https://github.com/python/cpython/security/advisories/GHSA-xxxx-xxxx-xxxx
Restart Required: No
Instructions:
1. Upgrade to CPython 3.12.9, 3.13.1, or 3.14.0a7 or later. 2. For existing virtual environments, delete and recreate them with the patched version. 3. No system restart required, but affected virtual environments need recreation.
🔧 Temporary Workarounds
Avoid source activation
allUse direct Python binary execution instead of activating virtual environments with 'source' command
./venv/bin/python script.py
./venv/bin/pip install package
Validate virtual environment paths
allOnly create virtual environments from trusted, non-user-controlled path names
🧯 If You Can't Patch
- Only create virtual environments from trusted, non-user-controlled path names
- Use direct Python binary execution (./venv/bin/python) instead of activating virtual environments
🔍 How to Verify
Check if Vulnerable:
Check CPython version: python --version. If version is before 3.12.9, 3.13.1, or 3.14.0a7, you are vulnerable.Check Version:
python --versionVerify Fix Applied:
After upgrading, verify version is 3.12.9+, 3.13.1+, or 3.14.0a7+. Test by creating a virtual environment with special characters in path and checking activation scripts.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution during virtual environment activation
- Suspicious activity in virtual environment directories
Network Indicators:
- Outbound connections from Python processes during virtual environment activation
SIEM Query:
Process execution where command contains 'source' and path to virtual environment activation script followed by unexpected child processes🔗 References
- https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
- https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
- https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
- https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
- https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
- https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
- https://github.com/python/cpython/issues/124651
- https://github.com/python/cpython/pull/124712
- https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://security.netapp.com/advisory/ntap-20250425-0006/
