CVE-2024-53899

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: virtualenv versions prior to 20.26.6

Description: The issue is related to command injection through the activation scripts for a virtual environment in virtualenv. It is caused by the incorrect quoting of magic template strings when replacing, allowing an attacker to execute arbitrary commands. This can enable a remote attacker to perform unauthorized actions.

Recommendations: For versions prior to 20.26.6, upgrade to version 20.26.6 or later to resolve the issue. As a temporary workaround, consider disabling the activation scripts for virtual environments until a patch is available. Restrict access to the vulnerable activation scripts to minimize the risk of exploitation.

Exploit

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

ALSA-2024:10953

ALT-PU-2025-6288

AZL-53417

AZL-53645

BDU:2024-10842

BIT-VIRTUALENV-2024-53899

CESA-2024_10953

CVE-2024-53899

GHSA-RQC4-2HC7-8C8V

INFSA-2024_10953

OESA-2025-1241

OPENSUSE-SU-2024_4093-1

OPENSUSE-SU-2024_4143-1

OPENSUSE-SU-2025:15252-1

PYSEC-2024-187

RHSA-2024:10953

RHSA-2024:11048

RHSA-2024:11091

RHSA-2024:11093

RHSA-2024:11094

RHSA-2024_10953

RHSA-2025:0002

RLSA-2024:10953

SUSE-SU-2024:4093-1

SUSE-SU-2024:4143-1

SUSE-SU-2024_4093-1

SUSE-SU-2024_4143-1

USN-7271-1

USN-7271-2

Affected Products

Alt Linux

Almalinux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Virtualenv

CVE-2024-53899

Weakness Enumeration

Related Identifiers

Affected Products

References · 53