CVE-2016-10075 in tqdm
Summary
by MITRE
The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2016-10075 resides within the tqdm._version module of the tqdm library, a popular Python progress bar utility used extensively in data science and machine learning workflows. This security flaw affects versions 4.4.1 and 4.10 of the library, creating a critical vector for local code execution attacks. The vulnerability stems from the library's improper handling of git repository metadata during version detection, specifically when the tqdm._version module attempts to parse git log information from the current working directory. When a malicious actor places a crafted repository containing a specially crafted git log within the working directory, the library's version detection mechanism inadvertently executes arbitrary code as part of the parsing process. This represents a classic command injection vulnerability where user-controllable input from git metadata is directly processed without proper sanitization or validation.
The technical exploitation of this vulnerability occurs through a combination of path traversal and command execution mechanisms. When tqdm initializes and attempts to determine its version, it scans the current working directory for git repository information. If a malicious git repository with crafted log entries exists in the working directory, the library's git log parsing function processes these entries without adequate input validation. This processing can trigger the execution of arbitrary shell commands embedded within the git log data, effectively allowing local users to execute code with the privileges of the process running tqdm. The vulnerability is particularly dangerous because it can be triggered simply by having a malicious repository in the working directory, making it difficult to detect and prevent through traditional network-based security measures.
The operational impact of CVE-2016-10075 extends beyond immediate code execution capabilities to encompass broader system compromise scenarios. Since tqdm is commonly used in data science pipelines, machine learning workflows, and automated scripts, attackers can leverage this vulnerability to gain unauthorized access to systems running vulnerable applications. The attack surface is particularly wide given that tqdm is often used in environments where sensitive data processing occurs, potentially allowing attackers to access, modify, or exfiltrate valuable datasets. This vulnerability aligns with CWE-78, which specifically addresses improper neutralization of special elements used in OS commands, and can be categorized under ATT&CK technique T1059.001 for command and scripting interpreter. The vulnerability's persistence in the codebase for multiple versions indicates a fundamental flaw in the library's security design that could have been addressed through proper input validation and secure coding practices.
Mitigation strategies for CVE-2016-10075 require immediate version updates to patched releases of the tqdm library, as the vulnerability is resolved in subsequent versions through proper input sanitization of git log data. Organizations should implement comprehensive patch management procedures to ensure all systems using tqdm are updated to versions 4.11.0 or later, which contain the necessary security fixes. Additionally, system administrators should consider implementing runtime protections such as sandboxing or restricted execution environments for processes that utilize tqdm, particularly in shared or multi-tenant environments. Network segmentation and monitoring of suspicious git repository activities can also help detect potential exploitation attempts. The vulnerability underscores the importance of secure coding practices in open source libraries, particularly when handling external input from version control systems, and highlights the need for regular security audits of commonly used dependencies. Organizations should also implement automated dependency checking tools to identify and remediate vulnerable library versions across their software ecosystems.