Command Injection
Description
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Codecov Python uploader before 2.0.16 does not sanitize gcov arguments, allowing arbitrary command injection via the popen method.
Root
Cause
The vulnerability exists in the Codecov Python uploader (codecov package) before version 2.0.16. The code fails to sanitize user-controlled gcov arguments before passing them to Python's popen function, enabling command injection [1].
Attack
Vector
An attacker can exploit this by crafting a malicious gcov invocation that includes arbitrary shell commands. The attack does not require authentication if the attacker can influence the gcov command arguments, for example, through a compromised CI/CD pipeline or a malicious repository configuration trigger [2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system where the uploader runs, potentially leading to data exfiltration, credential theft, or full compromise of the CI build environment [1].
Mitigation
The vulnerability was fixed in Codecov Python uploader version 2.0.16 [2] [3]. Users should upgrade immediately. The codecov-python package is now deprecated and no longer maintained, and users are strongly advised to migrate to the new uploader [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codecovPyPI | < 2.0.16 | 2.0.16 |
Affected products
5- codecov/codecovdescription
- ghsa-coords3 versionspkg:pypi/codecovpkg:rpm/opensuse/python-codecov&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-codecov&distro=openSUSE%20Leap%2015.4
< 2.0.16+ 2 more
- (no CPE)range: < 2.0.16
- (no CPE)range: < 2.0.15-150100.3.3.1
- (no CPE)range: < 2.0.15-150100.3.3.1
Patches
12a80aa434f74CE-1380_sanitize_args
2 files changed · +10 −3
codecov/__init__.py+7 −3 modified@@ -34,6 +34,10 @@ remove_token = re.compile(r'token=[^\&]+').sub +def sanitize_arg(replacement, arg): + return re.sub(r'[\&]+', replacement, arg, 0, re.MULTILINE) + + ignored_path = re.compile(r'(/vendor)|' r'(/js/generated/coverage)|' r'(/__pycache__)|' @@ -624,11 +628,11 @@ def main(*argv, **kwargs): ) write('==> Processing gcov (disable by -X gcov)') cmd = "find %s %s -type f -name '*.gcno' %s -exec %s -pb %s {} +" % ( - (codecov.gcov_root or root), + (sanitize_arg('', codecov.gcov_root or root)), dont_search_here, " ".join(map(lambda a: "-not -path '%s'" % a, codecov.gcov_glob)), - (codecov.gcov_exec or ''), - (codecov.gcov_args or '')) + (sanitize_arg('', codecov.gcov_exec or '')), + (sanitize_arg('', codecov.gcov_args or ''))) write(' Executing gcov (%s)' % cmd) try_to_run(cmd)
tests/test.py+3 −0 modified@@ -315,6 +315,9 @@ def test_none_found(self): else: raise Exception("Did not raise AssertionError") + def test_sanitize_arg(self): + self.assertEqual(codecov.sanitize_arg('', '& echo test > vuln1.txt'), ' echo test > vuln1.txt') + @unittest.skipUnless(os.getenv('JENKINS_URL'), 'Skip Jenkins CI test') def test_ci_jenkins(self): self.set_env(BUILD_URL='https://....',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h3qr-fjhm-jphwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10800ghsaADVISORY
- github.com/codecov/codecov-python/commit/2a80aa434f74feb31242b6f213b75ce63ae97902ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/codecov/PYSEC-2022-238.yamlghsaWEB
- snyk.io/vuln/SNYK-PYTHON-CODECOV-552149ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.