Unpatched 15-year-aged Python bug causes code execution in 350,000 assignments

A vulnerability in the Python programming language that went unnoticed for 15 yrs is again in the spotlight as it impacts above 350,000 open supply repositories and can direct to code execution.

A stability concern revealed in 2007 and tagged as CVE-2007-4559 never obtained a patch and the only mitigation provided was an updated documentation warning builders of the hazard.

Has not been patched considering the fact that 2007

Vulnerability is in Python tarfile Packages that use unsanitized code tarfile.extract() Built-in default for features or tarfile.extractall(). This is a route traversal bug that permits an attacker to overwrite arbitrary documents.

Complex details of CVE-2007-4559 have been posted considering the fact that the 1st report in August 2007. Though there have been no reviews of exploitation of this bug, it signifies a possibility in the software package offer chain.

Before this year, CVE-2007-4559 was rediscovered by Trellix scientists when investigating yet another security situation. Trellix is ​​a new business delivering enhanced detection and response (XDR) alternatives via the merger of McAfee Organization and FireEye.

“Failure to generate secure code to sanitize member information in advance of calling tarfile.extract() tarfile.extractall() outcomes in a directory traversal vulnerability that could let a destructive person to obtain access to the file technique. – Charles McFarland, Vulnerability Researcher Trellix Sophisticated Menace Exploration Staff

This defect is extract Python capabilities tarfile The module explicitly depends on the facts in the TarInfo object and “brings together the path passed to the extract purpose with the identify in the TarInfo item”

CVE-2007-4559 - Path concatenating with filename
CVE-2007-4559 – Route concatenating with filename
Supply: Trerix

Less than a week immediately after publication, a information in the Python bug tracker claimed the issue had been shut and the documentation had been current with a warning that “extracting archives from untrusted resources can be unsafe”. A take care of has been introduced.

See also  Huawei Check out GT 3 Unboxing: classy and inexpensive? - Recombine

An approximated 350,000 initiatives influenced

Researchers at Trellix who analyzed the affect uncovered the vulnerability to exist in thousands of software tasks, equally open and closed source.

Scientists scraped a set of 257 repositories that likely contained vulnerable code and manually checked 175 of them to see if they have been afflicted. This reveals that 61% of them are vulnerable.

Managing automated checks on the remaining repositories elevated the variety of affected assignments to 65%, indicating a common problem.

Even so, the smaller sample established only served as a baseline for generating estimates for all impacted repositories available on GitHub.

“With the support of GitHub, we were ready to retrieve a substantially larger dataset that contains 588,840 exclusive repositories with ‘import tarfile’ in Python code” – Charles McFarland

With a hand-verified 61% vulnerability charge, Trellix has about 350,000 vulnerable repositories, lots of of which are run by device studying tools ( GitHub Copilot, and so forth.).

This sort of automated equipment depend on code from hundreds of thousands of repositories to deliver an “autocomplete” possibility. When they add unsafe code, the difficulty propagates to other initiatives without the need of the builders being aware of.

GitHub Copilot hinting at vulnerable tarfile extraction code
GitHub Copilot pointing to vulnerability tarfile extraction code
Supply: Trerix

Upon even further investigation of the concern, Trellix observed open up supply code vulnerable to CVE-2007-4559 “across a massive number of industries.”

As predicted, the growth sector will be hit the hardest, adopted by net and machine finding out systems.

Code vulnerable to CVE-2007-4559 in various industries
Code vulnerable to CVE-2007-4559 in different industries
Source: Trerix

Exploiting CVE-2007-4559

In modern technological website submit, Trellix vulnerability researcher Kasimir Schulz, who rediscovered this bug, provided basic methods to exploit CVE-2007-4559 in the Home windows model of the Spyder IDE. Spyder IDE is an open up supply cross-system integrated growth environment for scientific programming. .

See also  Elden Ring is experiencing a Steam Cloud save problem


Researchers have proven that this vulnerability is also accessible on Linux. They have been able to correctly escalate file writes and achieve code execution in their tests with Polemarch IT Infrastructure Management Providers.


Aside from drawing interest to the vulnerability and the dangers it poses, Trellix has also created patches for just about 11,000 jobs. The repair will be out there in a fork of the impacted repository. It is then additional to the key undertaking by way of a pull ask for.

Owing to the significant variety of affected repositories, researchers be expecting around 70,000 initiatives to be fixed in the coming weeks. On the other hand, acquiring the 100% mark is a tricky endeavor. Because merge requests also need to be approved by the maintainer.

BleepingComputer has asked the Python Software package Foundation for comment on CVE-2007-4559, but has not gained a reaction at the time of publication.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.