CVE-2024-40647

Name of the Vulnerable Software and Affected Versions sentry-sdk versions prior to 2.8.0

Description A bug in the sentry-sdk allows environment variables to be passed to subprocesses despite the env={} setting. In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use the env argument in subprocess calls. Due to the bug in sentry-sdk, with the Stdlib integration enabled, this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead.

Recommendations To resolve the issue, upgrade to sentry-sdk version 2.8.0 or later. As a temporary workaround, consider replacing env={} with a minimal dict, such as env={"EMPTY ENV":"1"}, or disable the Stdlib integration by removing sentry sdk.integrations.stdlib.StdlibIntegration from sentry sdk.integrations. DEFAULT INTEGRATIONS before initializing sentry sdk.