CVE-2024-34062: Python tqdm Library RCE Vulnerability

CVE-2024-34062 Overview

CVE-2024-34062 is a code injection vulnerability affecting tqdm, the popular open source progress bar library for Python and CLI applications. The vulnerability exists because any optional non-boolean CLI arguments (such as --delim, --buf-size, --manpath) are passed through Python's eval() function, allowing arbitrary code execution on the local system.

Critical Impact
Local attackers with access to the system can execute arbitrary Python code by crafting malicious CLI arguments, potentially leading to data theft, system compromise, or lateral movement within a network.

Affected Products

tqdm versions prior to 4.66.3
Python applications and scripts utilizing vulnerable tqdm CLI functionality
Systems where tqdm CLI commands are exposed to user-controlled input

Discovery Timeline

2024-05-03 - CVE CVE-2024-34062 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-34062

Vulnerability Analysis

This vulnerability stems from unsafe use of Python's eval() function to process CLI argument values. When users provide non-boolean arguments to tqdm's command-line interface, the application constructs strings dynamically and passes them to eval() for type conversion. This design pattern creates a classic code injection vulnerability where an attacker can craft malicious input that executes arbitrary Python code.

The vulnerability is locally exploitable, meaning an attacker needs local access to the system or the ability to influence CLI arguments passed to tqdm. While this limits the attack surface compared to remote exploits, it remains dangerous in scenarios involving automated scripts, CI/CD pipelines, or multi-user systems where tqdm commands might process untrusted input.

Root Cause

The root cause is the use of Python's eval() function for type casting CLI argument values. The original implementation used eval(typ + '("' + val + '")') to convert string inputs to their intended types. This approach is inherently unsafe as eval() executes arbitrary Python expressions, and user-controlled input was being directly interpolated into the expression string without proper sanitization or validation.

CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) accurately classifies this vulnerability, as user input was not properly neutralized before being processed by the Python interpreter.

Attack Vector

The attack requires local access to execute tqdm CLI commands with crafted arguments. An attacker could exploit this by providing specially crafted values to vulnerable CLI options. For example, malicious payloads could be injected through options like --delim, --buf-size, or --manpath that would be evaluated as Python code rather than simple string or numeric values.

Attack scenarios include:

Local privilege escalation on multi-user systems
Exploitation via scripts that pass user-controlled data to tqdm CLI
Compromise of CI/CD pipelines using tqdm with external inputs
Supply chain attacks targeting build systems

The following patch shows how the vulnerability was remediated by removing the unsafe eval() call:

python

                 return cast(val, t)
             except TqdmTypeError:
                 pass
-        raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(f"{val} : {typ}")

     # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
     if typ == 'bool':
         if (val == 'True') or (val == ''):
             return True
-        elif val == 'False':
+        if val == 'False':
             return False
-        else:
-            raise TqdmTypeError(val + ' : ' + typ)
-    try:
-        return eval(typ + '("' + val + '")')
-    except Exception:
-        if typ == 'chr':
-            return chr(ord(eval('"' + val + '"'))).encode()
-        else:
-            raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(val + ' : ' + typ)
+    if typ == 'chr':
+        if len(val) == 1:
+            return val.encode()
+        if re.match(r"^\\\\\\w+$", val):
+            return eval(f'"{val}"').encode()
+        raise TqdmTypeError(f"{val} : {typ}")
+    if typ == 'str':

Source: GitHub Commit - Security Fix

Detection Methods for CVE-2024-34062

Indicators of Compromise

Unusual process spawning from Python scripts using tqdm
Suspicious command-line arguments containing Python expressions or special characters in tqdm commands
Unexpected network connections or file system activity originating from tqdm-related processes
Audit logs showing tqdm CLI invocations with encoded or obfuscated argument values

Detection Strategies

Monitor for tqdm CLI executions with arguments containing Python syntax elements such as __import__, exec, eval, or os.system
Implement application-level logging for tqdm CLI argument values in production environments
Use static analysis tools to identify scripts passing user-controlled input to tqdm CLI
Deploy runtime application self-protection (RASP) to detect and block code injection attempts

Monitoring Recommendations

Enable command-line auditing on systems where tqdm is used in automated workflows
Configure SIEM rules to alert on suspicious Python process behaviors following tqdm execution
Review CI/CD pipeline configurations for instances where external input may reach tqdm CLI commands
Perform regular dependency audits to ensure tqdm version 4.66.3 or later is deployed across all environments

How to Mitigate CVE-2024-34062

Immediate Actions Required

Upgrade tqdm to version 4.66.3 or later immediately across all environments
Audit scripts and applications to identify any usage of tqdm CLI with user-controlled input
Review CI/CD pipelines and automated workflows for vulnerable tqdm versions
Implement input validation for any system that passes external data to tqdm commands

Patch Information

The vulnerability has been addressed in tqdm release version 4.66.3. The fix replaces the unsafe eval() call with explicit type handling and proper input validation. Users should upgrade using pip:

bash

pip install --upgrade tqdm>=4.66.3

For additional details, refer to the GitHub Security Advisory GHSA-g7vv-2v7x-gj9p and the security patch commit.

Fedora users should check for updated packages via their distribution's package manager. Multiple Fedora Package Announcements have been issued regarding this vulnerability.

Workarounds

Avoid using tqdm CLI features with user-controlled or untrusted input until patched
Implement strict input validation and sanitization before passing any external data to tqdm commands
Consider containerizing applications using tqdm CLI to limit the impact of potential exploitation
Use Python API calls to tqdm instead of CLI invocations where possible, as the vulnerability is specific to CLI argument parsing

bash

# Verify tqdm version and upgrade if necessary
pip show tqdm | grep Version
pip install --upgrade "tqdm>=4.66.3"

# For system-wide installations
sudo pip install --upgrade "tqdm>=4.66.3"

# For virtual environments, ensure upgrade within the environment
source /path/to/venv/bin/activate
pip install --upgrade "tqdm>=4.66.3"

CVE-2024-34062 Overview

Critical Impact
Local attackers with access to the system can execute arbitrary Python code by crafting malicious CLI arguments, potentially leading to data theft, system compromise, or lateral movement within a network.

Affected Products

tqdm versions prior to 4.66.3
Python applications and scripts utilizing vulnerable tqdm CLI functionality
Systems where tqdm CLI commands are exposed to user-controlled input

Discovery Timeline

2024-05-03 - CVE CVE-2024-34062 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-34062

Vulnerability Analysis

Root Cause

Attack Vector

Attack scenarios include:

Local privilege escalation on multi-user systems
Exploitation via scripts that pass user-controlled data to tqdm CLI
Compromise of CI/CD pipelines using tqdm with external inputs
Supply chain attacks targeting build systems

The following patch shows how the vulnerability was remediated by removing the unsafe eval() call:

python

                 return cast(val, t)
             except TqdmTypeError:
                 pass
-        raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(f"{val} : {typ}")

     # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n')
     if typ == 'bool':
         if (val == 'True') or (val == ''):
             return True
-        elif val == 'False':
+        if val == 'False':
             return False
-        else:
-            raise TqdmTypeError(val + ' : ' + typ)
-    try:
-        return eval(typ + '("' + val + '")')
-    except Exception:
-        if typ == 'chr':
-            return chr(ord(eval('"' + val + '"'))).encode()
-        else:
-            raise TqdmTypeError(val + ' : ' + typ)
+        raise TqdmTypeError(val + ' : ' + typ)
+    if typ == 'chr':
+        if len(val) == 1:
+            return val.encode()
+        if re.match(r"^\\\\\\w+$", val):
+            return eval(f'"{val}"').encode()
+        raise TqdmTypeError(f"{val} : {typ}")
+    if typ == 'str':

Source: GitHub Commit - Security Fix

Detection Methods for CVE-2024-34062

Indicators of Compromise

Unusual process spawning from Python scripts using tqdm
Suspicious command-line arguments containing Python expressions or special characters in tqdm commands
Unexpected network connections or file system activity originating from tqdm-related processes
Audit logs showing tqdm CLI invocations with encoded or obfuscated argument values

Detection Strategies

Monitor for tqdm CLI executions with arguments containing Python syntax elements such as __import__, exec, eval, or os.system
Implement application-level logging for tqdm CLI argument values in production environments
Use static analysis tools to identify scripts passing user-controlled input to tqdm CLI
Deploy runtime application self-protection (RASP) to detect and block code injection attempts

Monitoring Recommendations

Enable command-line auditing on systems where tqdm is used in automated workflows
Configure SIEM rules to alert on suspicious Python process behaviors following tqdm execution
Review CI/CD pipeline configurations for instances where external input may reach tqdm CLI commands
Perform regular dependency audits to ensure tqdm version 4.66.3 or later is deployed across all environments

How to Mitigate CVE-2024-34062

Immediate Actions Required

Upgrade tqdm to version 4.66.3 or later immediately across all environments
Audit scripts and applications to identify any usage of tqdm CLI with user-controlled input
Review CI/CD pipelines and automated workflows for vulnerable tqdm versions
Implement input validation for any system that passes external data to tqdm commands

Patch Information

The vulnerability has been addressed in tqdm release version 4.66.3. The fix replaces the unsafe eval() call with explicit type handling and proper input validation. Users should upgrade using pip:

bash

pip install --upgrade tqdm>=4.66.3

For additional details, refer to the GitHub Security Advisory GHSA-g7vv-2v7x-gj9p and the security patch commit.

Fedora users should check for updated packages via their distribution's package manager. Multiple Fedora Package Announcements have been issued regarding this vulnerability.

Workarounds

Avoid using tqdm CLI features with user-controlled or untrusted input until patched
Implement strict input validation and sanitization before passing any external data to tqdm commands
Consider containerizing applications using tqdm CLI to limit the impact of potential exploitation
Use Python API calls to tqdm instead of CLI invocations where possible, as the vulnerability is specific to CLI argument parsing

bash

# Verify tqdm version and upgrade if necessary
pip show tqdm | grep Version
pip install --upgrade "tqdm>=4.66.3"

# For system-wide installations
sudo pip install --upgrade "tqdm>=4.66.3"

# For virtual environments, ensure upgrade within the environment
source /path/to/venv/bin/activate
pip install --upgrade "tqdm>=4.66.3"

CVE-2024-34062: Python tqdm Library RCE Vulnerability

CVE-2024-34062 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-34062

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34062

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-34062

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-34062: Python tqdm Library RCE Vulnerability

CVE-2024-34062 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-34062

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34062

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-34062

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform