CVE-2024-34062 — Injection in Tqdm

CWE-74 — Injection9 documents7 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 74.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tqdm Debian Tqdm Msrc Azl3 Conda 24.1.2-2 ON Azure Linux 3.0 +9 more

Timeline

PublishedMay 3

Latest updateJan 16

Description

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 1.3 | Impact: 3.4

Affected Packages15 packages

▶msrcmsrc/azl3_python-tqdm_4.66.2-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_python-tqdm_4.63.1-3_on_cbl_mariner_2.0

▶PyPItqdm/tqdm4.4.0 — 4.66.3

▶debiandebian/tqdm< tqdm 4.66.4-1 (forky)

▶Debiantqdm/tqdm< 4.66.4-1+1

🔴Vulnerability Details

OSV

tqdm vulnerability↗2025-01-16

▶

OSV

CVE-2024-34062: tqdm is an open source progress bar for Python and CLI↗2024-05-03

▶

GHSA

tqdm CLI arguments injection attack↗2024-05-03

▶

OSV

tqdm CLI arguments injection attack↗2024-05-03

▶

📋Vendor Advisories

Ubuntu

tqdm vulnerability↗2025-01-16

▶

Microsoft

tqdm CLI arguments injection attack↗2024-05-14

▶

Red Hat

python-tqdm: non-boolean CLI arguments may lead to local code execution↗2024-05-03

▶

Debian

CVE-2024-34062: tqdm - tqdm is an open source progress bar for Python and CLI. Any optional non-boolean...↗2024

▶