UPDATE (November 2022): After much discussion, the security team at Python has decided to remove the script described below. As such, some of the links to the script (github) will no longer work. I am happy to see a mitigation for this vulnerability.

December 31. New Year’s Eve. Not so long ago. A time of reflection and new beginnings. Learning from our mistakes, charting the course for the future year, and celebrating successes. Marveling at our good — or bad — luck. Contemplative. What goals will I set for myself? What will I focus on this year? What do I want to improve?

For me, the goal was to get a CVE to my name — Not for any particular reason other than that the idea had lingered far too long in the back of my mind, and the time seemed right to focus on such a task. I dutifully jotted my goal down. Then promptly forgot about it. Until August.

In August I was reading the GitHub repo of a small open source project. A Python project that a friend referred me to. It was part of the enormous wave of security tools that crashes upon the community, hoping that, in the frothy aftermath, it would get taken up by a few members and not pulled back to the abyss by the rip current.

The Vulnerability

That is where I saw it. A call to Python’s subprocess library. Direct system call with shell enabled (shell=True). That seems dangerous, I thought to myself, and started investigating.