{"id":"PYSEC-2026-1127","summary":"ansys-geometry-core OS Command Injection vulnerability","details":"subprocess call with shell=True identified, security issue.\n\n#### Code\n\nOn file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428):\n\n```\n403 def _start_program(args: List[str], local_env: Dict[str, str]) -\u003e subprocess.Popen:\n404     \"\"\"\n405     Start the program where the path is the first item of the ``args`` array argument.\n406\n407     Parameters\n408     ----------\n409     args : List[str]\n410         List of arguments to be passed to the program. The first list's item shall\n411         be the program path.\n412     local_env : Dict[str,str]\n413         Environment variables to be passed to the program.\n414\n415     Returns\n416     -------\n417     subprocess.Popen\n418         The subprocess object.\n419     \"\"\"\n420      return subprocess.Popen(\n421         args,\n422         shell=os.name != \"nt\",\n423         stdin=subprocess.DEVNULL,\n424         stdout=subprocess.DEVNULL,\n425         stderr=subprocess.DEVNULL,\n426         env=local_env,\n427      )\n428 \n429 \n\n```\n\nUpon calling this method ``_start_program`` directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the ``shell=True`` option.\n\n#### CWE - 78\n\nFor more information see https://cwe.mitre.org/data/definitions/78.html\n\n#### More information\n\nVisit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.","aliases":["CVE-2024-29189","GHSA-38jr-29fh-w9vm"],"modified":"2026-07-07T17:46:21.275187025Z","published":"2026-07-07T11:45:36.419888Z","references":[{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29189"},{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/pull/1076"},{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/pull/1077"},{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"},{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"},{"type":"WEB","url":"https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"},{"type":"PACKAGE","url":"https://github.com/ansys/pyansys-geometry"},{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"},{"type":"PACKAGE","url":"https://pypi.org/project/ansys-geometry-core"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-38jr-29fh-w9vm"}],"affected":[{"package":{"name":"ansys-geometry-core","ecosystem":"PyPI","purl":"pkg:pypi/ansys-geometry-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.3.0"},{"fixed":"0.3.3"},{"introduced":"0.4.0"},{"fixed":"0.4.12"}]}],"versions":["0.3.0","0.3.1","0.3.2","0.4.0","0.4.1","0.4.10","0.4.11","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansys-geometry-core/PYSEC-2026-1127.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}