CVE-2025-55037: TkEasyGUI Vulnerable to OS Command Injection

The analysis of the security patches, specifically commit 34847e11c210cddd33015e6a90379e2b5d073d4c, reveals a critical OS command injection vulnerability in TkEasyGUI versions prior to 1.0.22. The root cause lies in the send_notification_mac and send_notification_win functions within TkEasyGUI/dialogs.py.

Both functions insecurely construct shell command strings for their respective operating systems (AppleScript for macOS, PowerShell for Windows) by directly embedding raw user input (message and title) into the command strings. This allows an attacker to break out of the intended command and inject arbitrary commands for execution.

The popup_notify function serves as the entry point, calling these vulnerable functions based on the detected OS. Therefore, any call to popup_notify with untrusted input could lead to remote code execution.

The patch addresses these vulnerabilities by replacing the unsafe string formatting with a secure method of passing data. It now base64-encodes the user input and passes it as arguments to the scripts. The scripts then decode the data, preventing any part of the user input from being interpreted as a command.

For a security engineer, this means any instance of popup_notify, send_notification_mac, or send_notification_win appearing in a runtime profile or logs, especially with externally sourced data, is a strong indicator of a potential exploitation attempt of CVE-2025-55037. Upgrading the tkeasygui package to version 1.0.22 or later is the recommended mitigation.