{"id":"CVE-2024-34062","summary":"tqdm CLI arguments injection attack","details":"tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-g7vv-2v7x-gj9p"],"modified":"2026-04-10T05:13:25.520174Z","published":"2024-05-03T09:55:26.119Z","related":["CGA-v4q3-6q75-h2ph","MGASA-2024-0299","SUSE-SU-2024:1872-1","openSUSE-SU-2024:13939-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34062.json","cwe_ids":["CWE-74"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34062.json"},{"type":"ADVISORY","url":"https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34062"},{"type":"FIX","url":"https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tqdm/tqdm","events":[{"introduced":"0"},{"fixed":"4e613f84ed2ae029559f539464df83fa91feb316"}]},{"type":"GIT","repo":"https://github.com/tqdm/tqdm","events":[{"introduced":"0"},{"fixed":"4e613f84ed2ae029559f539464df83fa91feb316"}]}],"versions":["3.2.0","v1.0.0","v2.0.0","v2.1.0","v2.2.0","v2.2.1","v2.2.3","v2.2.4","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.2.0","v3.3.0","v3.4.0","v3.5.0","v3.6.0","v3.7.0","v3.7.1","v3.8.0","v4.0.0","v4.1.0","v4.10.0","v4.11.0","v4.11.1","v4.11.2","v4.12.0","v4.12.1","v4.12.2","v4.13.0","v4.14.0","v4.15.0","v4.16.0","v4.17.0","v4.17.1","v4.18.0","v4.19.0","v4.19.1","v4.19.2","v4.19.3","v4.19.4","v4.19.5","v4.19.6","v4.19.7","v4.19.8","v4.19.9","v4.2.0","v4.20.0","v4.21.0","v4.22.0","v4.23.0","v4.23.1","v4.23.2","v4.23.3","v4.23.4","v4.24.0","v4.25.0","v4.26.0","v4.27.0","v4.28.0","v4.28.1","v4.29.1","v4.3.0","v4.30.0","v4.31.0","v4.31.1","v4.32.0","v4.32.1","v4.32.2","v4.33.0","v4.34.0","v4.35.0","v4.36.0","v4.36.1","v4.37.0","v4.38.0","v4.39.0","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.40.0","v4.40.1","v4.40.2","v4.41.0","v4.41.1","v4.42.0","v4.42.1","v4.43.0","v4.44.0","v4.44.1","v4.45.0","v4.46.0","v4.46.1","v4.47.0","v4.48.0","v4.48.1","v4.48.2","v4.49.0","v4.5.0","v4.5.2","v4.50.0","v4.50.1","v4.50.2","v4.51.0","v4.52.0","v4.53.0","v4.54.0","v4.54.1","v4.55.0","v4.55.1","v4.55.2","v4.56.0","v4.56.1","v4.56.2","v4.57.0","v4.58.0","v4.59.0","v4.6.0","v4.6.1","v4.6.2","v4.60.0","v4.61.0","v4.61.1","v4.61.2","v4.62.0","v4.62.1","v4.62.2","v4.62.3","v4.63.0","v4.63.1","v4.63.2","v4.64.0","v4.64.1","v4.65.0","v4.65.1","v4.65.2","v4.66.0","v4.66.1","v4.66.2","v4.7.0","v4.7.1","v4.7.2","v4.7.3","v4.7.4","v4.7.5","v4.7.6","v4.8.0","v4.8.1","v4.8.2","v4.8.3","v4.8.4","v4.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34062.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"}]}