CVE-2024-9287 MEDIUM

CVE-2024-9287: Virtual environment (venv) activation scripts don't quote paths

Vendor Python Software Foundation
Product CPython
Weakness CWE-428
Published October 22, 2024
Last update November 3, 2025

CVSS base score

5.3/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green

What the vulnerability does

01Description

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Key dates

02Disclosure timeline

October 22, 2024 CVE published
November 3, 2025 Record updated