LOW 3.9

GHSA-g7vv-2v7x-gj9p

tqdm CLI arguments injection attack

Details

### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. Example:

```sh python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \"" ```

### Patches https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in `tqdm>=4.66.3`

### Workarounds None

### References - https://github.com/tqdm/tqdm/releases/tag/v4.66.3

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tqdm

Introduced in: 4.4.0 Fixed in: 4.66.3

Fix pip install --upgrade 'tqdm>=4.66.3'

References

https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-34062 [ADVISORY]
https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 [WEB]
https://github.com/tqdm/tqdm [PACKAGE]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6 [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6 [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC [WEB]