CVE-2024-9287 in CPython
Summary
by MITRE • 10/22/2024
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/02/2025
The vulnerability identified as CVE-2024-9287 represents a critical command injection flaw within the CPython venv module and its command line interface. This security issue stems from improper handling of path names during virtual environment creation, specifically when generating activation scripts that are executed when users activate their virtual environments. The flaw exists in the way the venv module processes and incorporates user-provided paths into shell commands within activation scripts, creating an avenue for malicious command injection.
The technical implementation of this vulnerability involves the venv module's failure to properly quote or sanitize path names when these paths are embedded into shell commands within activation scripts. When an attacker creates a virtual environment with specially crafted path names containing shell metacharacters, these characters can be interpreted by the shell during activation, leading to arbitrary command execution. This occurs specifically in the activation scripts located at venv/bin/activate where the module constructs shell commands without adequate input validation or sanitization. The vulnerability is classified under CWE-78 as a failure to properly quote shell arguments, which directly enables command injection attacks.
The operational impact of CVE-2024-9287 extends beyond simple privilege escalation to encompass full system compromise when attackers can control virtual environment creation. Attackers who can influence the creation of virtual environments or gain write access to directories where virtual environments are created can execute arbitrary commands with the privileges of the user activating the environment. This represents a significant threat to development environments, CI/CD pipelines, and any system where virtual environments are routinely created and activated. The vulnerability particularly affects scenarios where developers or automated systems create virtual environments from untrusted sources, as the activation process becomes a vector for malicious code execution.
Mitigation strategies for this vulnerability require immediate attention from system administrators and developers. The most effective immediate solution involves upgrading to patched versions of CPython where the venv module properly quotes all path names during activation script generation. Organizations should implement strict controls over virtual environment creation, ensuring that only trusted users or systems can create virtual environments with potentially malicious paths. Additional defensive measures include implementing proper input validation for path names, using automated tools to scan for vulnerable activation scripts, and employing principle of least privilege when running virtual environment activation commands. From an ATT&CK perspective, this vulnerability maps to T1059.001 Command and Scripting Interpreter and T1566.001 Phishing, as attackers can exploit this to execute malicious commands through compromised virtual environment creation processes. Organizations should also consider implementing monitoring solutions to detect suspicious activation script modifications and establish secure development practices that prevent untrusted input from reaching virtual environment creation processes.