7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-9287

GHSA ID

GHSA-grqq-hcc7-crmr

EPSS Score

0.11741%

CWE

CWE-77

Published

10/22/2024

Updated

4/26/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-9287

CVE-2024-9287: A vulnerability has been found in the CPython `venv` module and CLI where path names provided...

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-9287

GHSA ID

GHSA-grqq-hcc7-crmr

EPSS Score

0.11741%

CWE

CWE-77

Published

10/22/2024

Updated

4/26/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a command injection in CPython's venv module due to improperly quoted path names in activation scripts. The analysis focused on identifying functions involved in processing user-supplied paths and generating these scripts.

venv.EnvBuilder.replace_variables is identified as the core vulnerable function because it performed direct string substitutions of user input (like environment paths) into script templates without quoting.
venv.EnvBuilder.install_scripts is crucial as it calls replace_variables and writes the processed (and previously vulnerable) script content to disk.
venv.EnvBuilder.create is the main API method in EnvBuilder that accepts the user-provided, potentially malicious, environment path, starting the vulnerable workflow.
venv.main (from Lib/venv/__main__.py) is the CLI entry point that parses the user's input (including the environment path) and passes it to EnvBuilder.create. These functions would appear in a runtime profile during the creation of a virtual environment, and their interaction led to the vulnerability when unquoted, malicious path names were used.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in t** *Pyt*on `v*nv` mo*ul* *n* *LI w**r* p*t* n*m*s provi*** w**n *r**tin* * virtu*l *nvironm*nt w*r* not quot** prop*rly, *llowin* t** *r**tor to inj**t *omm*n*s into virtu*l *nvironm*nt "**tiv*tion" s*ripts (i* "sou

Reasoning

T** vuln*r**ility is * *omm*n* inj**tion in *Pyt*on's `v*nv` mo*ul* *u* to improp*rly quot** p*t* n*m*s in **tiv*tion s*ripts. T** *n*lysis *o*us** on i**nti*yin* *un*tions involv** in pro**ssin* us*r-suppli** p*t*s *n* **n*r*tin* t**s* s*ripts. *.

7.8

Basic Information

Concerned about an active attack path?

CVE-2024-9287: A vulnerability has been found in the CPython `venv` module and CLI where path names provided...

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI