GHSA-5CXW-W2XG-2M8H fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`

Our assessment We added platform to the blocklist of unsafe modules https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975. It was not possible to inject extra arguments to file without first monkey-patching platform.followsymlinks with the pickle, as it always...

CVE-2025-54306

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative...

CVE-2024-40647

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK 2.8.0 allows the environment variables to be passed to subprocesses despite the env= setting. In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifical...

Command Injection

Overview deepspeed is a DeepSpeed library Affected versions of this package are vulnerable to Command Injection when multiple instances where subprocess.run and subprocess.checkoutput, are called with unsanitized input and shell=True. An attacker would need to supply specially crafted input to...

Information Leakage

Sentry-sdk is vulnerable to Information Leakage. The vulnerability is due to subprocess calls leaking environment variables when the Stdlib integration is enabled, which could allow an attacker to gain access to sensitive environment variables by exploiting the unintended passing of these variabl...