CVE-2024-9287

Virtual environment (venv) activation scripts don't quote paths

Severity Score

5.3

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

A vulnerability has been found in the Python `venv` module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated.

It was discovered that Python incorrectly handled parsing bracketed hosts. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery attack. This issue only affected python 2.7 and python3.4 on Ubuntu 14.04 LTS; python2.7 on Ubuntu 16.04 LTS; python2.7, python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS; python2.7 and python3.9 on Ubuntu 20.04 LTS; and python2.7 and python3.11 on Ubuntu 22.04 LTS. It was discovered that Python allowed excessive backtracking while parsing certain tarfile headers. A remote attacker could possibly use this issue to cause Python to consume excessive resources, leading to a denial of service. This issue only affected python3.4 on Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; and python3.11 on Ubuntu 22.04 LTS.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-09-27 CVE Reserved
2024-10-22 CVE Published
2025-07-19 EPSS Updated
2025-07-23 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-428: Unquoted Search Path or Element

CAPEC

References (11)

URL	Tag	Source
https://github.com/python/cpython/issues/124651	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/pull/124712	2024-10-22
https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483	2025-07-23
https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7	2025-07-23
https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db	2025-07-23
https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8	2025-07-23
https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97	2025-07-23
https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b	2025-07-23

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL	2024-10-22
https://access.redhat.com/security/cve/CVE-2024-9287	2025-01-13
https://bugzilla.redhat.com/show_bug.cgi?id=2321440	2025-01-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				< 3.9.21 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.9.21"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.10.0 < 3.10.16 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.10.0 < 3.10.16"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.11.0 < 3.11.11 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.11.0 < 3.11.11"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.12.0 < 3.12.8 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.12.0 < 3.12.8"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.13.0 < 3.13.1 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.13.0 < 3.13.1"		en		Affected