PT-2026-60967 · Pypi · Urwid
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
urwid (affected versions not specified)
Description
The web display backend in
urwid/display/web.py uses Python's Mersenne Twister PRNG to generate web session identifiers urwid id within the Screen.start() function. Because this PRNG is not cryptographically secure, an attacker observing approximately 334 session IDs, such as those found in the X-Urwid-ID HTTP response header, can reconstruct the internal state and predict all past and future session IDs. Additionally, these identifiers are used as filenames for FIFOs created in the world-listable /tmp directory, allowing any local user to enumerate active session tokens. A valid session ID enables an attacker to read the victim's terminal screen via the polling endpoint, inject keystrokes—potentially leading to OS-level code execution if a shell is running—or crash the session by flooding the FIFO.Recommendations
Update urwid to the release containing fix commit 24acd12.
As a temporary mitigation, restrict access to the web display backend or avoid using it if not strictly necessary.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Urwid