CVE-2020-27619 Overview
CVE-2020-27619 affects Python 3 through version 3.9.0. The vulnerability resides in Lib/test/multibytecodec_support.py, where the CJK (Chinese, Japanese, Korean) codec tests call eval() on content retrieved over HTTP. An attacker capable of intercepting or controlling the HTTP response can inject arbitrary Python expressions that execute on the system running the test suite. The flaw was reported in Python issue 41944 and corrected via multiple commits to CPython. Downstream consumers including Fedora, NetApp, Gentoo, and Oracle Communications Cloud Native Core have issued advisories.
Critical Impact
A network attacker can achieve arbitrary code execution on systems running Python's CJK codec tests by serving malicious HTTP content to eval().
Affected Products
- Python 3.x through 3.9.0
- Fedora 33 and 34
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.2.0
Discovery Timeline
- 2020-10-22 - CVE-2020-27619 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-27619
Vulnerability Analysis
The vulnerability is a code injection flaw in the CPython test infrastructure. The file Lib/test/multibytecodec_support.py contains tests that validate CJK codec behavior by downloading reference mapping data from external URLs over HTTP. The retrieved content is then passed directly to Python's eval() built-in function to parse the mapping. Because eval() interprets its input as a Python expression, any controllable byte in the HTTP response becomes executable code in the context of the test runner.
The issue is amplified by the use of unencrypted HTTP, which permits trivial man-in-the-middle modification. The test suite runs with the privileges of the invoking user, which in continuous integration (CI) pipelines or distribution build systems may include access to signing keys, source repositories, and deployment credentials.
Root Cause
The root cause is the unsafe deserialization of untrusted network content through eval(). Test code treated remote mapping files as trusted Python expressions rather than parsing them with a restricted, data-only parser such as ast.literal_eval() or a structured format like JSON. Combined with cleartext HTTP transport, this produced a network-reachable code execution primitive.
Attack Vector
An attacker positioned on the network path between the test host and the remote mapping server can rewrite the HTTP response body to contain Python expressions. When eval() processes the response, the injected expression executes immediately. This vector is exploitable against developers, CI runners, and downstream packagers who run the Python test suite during builds. Exploitation requires no authentication and no user interaction beyond initiating the test run.
For technical details, refer to the upstream fix commits including CPython commit 2ef5caa5 and CPython commit b664a1df.
Detection Methods for CVE-2020-27619
Indicators of Compromise
- Outbound HTTP (not HTTPS) connections from Python test runners to external codec mapping hosts during test execution.
- Unexpected child processes spawned by python or pytest processes during runs of test_multibytecodec or related CJK codec tests.
- Modified or unsigned responses on HTTP downloads of Unicode mapping files used in CPython tests.
Detection Strategies
- Inventory Python installations and identify versions at or below 3.9.0 across endpoints, build servers, and container images.
- Monitor CI/CD environments for invocations of Lib/test/multibytecodec_support.py against unpatched interpreters.
- Inspect network traffic from build hosts for cleartext HTTP retrievals of files passed to eval() in test contexts.
Monitoring Recommendations
- Alert on Python processes initiating outbound HTTP connections to non-allowlisted domains during test phases.
- Track package manager events that install or upgrade Python on production and developer systems.
- Log and review CI pipeline execution where Python's full test suite runs, with attention to network egress and spawned processes.
How to Mitigate CVE-2020-27619
Immediate Actions Required
- Upgrade Python to a patched release: 3.6.13, 3.7.10, 3.8.7, 3.9.1, or later.
- Apply distribution updates from Fedora, Gentoo (GLSA 202402-04), and NetApp (NTAP-20201123-0004).
- Apply the Oracle Critical Patch Update from July 2022 for affected Communications Cloud Native Core deployments (CPU July 2022).
- Avoid running the Python test suite on unpatched interpreters in network-connected environments.
Patch Information
The fix replaces the unsafe eval() call with safe parsing of locally cached mapping data and uses HTTPS for retrieval. The change is distributed across multiple CPython commits, including commit 43e52310, commit 6c6c256d, and commit e912e945. Refer to the Python issue tracker entry for the full discussion.
Workarounds
- Skip the affected CJK codec tests on unpatched Python versions by excluding test_multibytecodec from test runs.
- Restrict outbound network access from build and test environments to trusted internal mirrors only.
- Run Python test suites inside isolated containers without credentials or write access to production resources.
# Configuration example: verify Python version and skip vulnerable test on legacy systems
python3 --version
python3 -m test -x test_multibytecodec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
