High severityNVD Advisory· Published Mar 18, 2024· Updated Aug 2, 2024

astropy vulnerable to RCE in TranformGraph().to_dot_graph function

CVE-2023-41334

Description

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph().to_dot_graph function. A malicious user can provide a command or a script file as a value to the savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Astropy 5.3.2 allows RCE via improper input validation in TransformGraph().to_dot_graph, passing user-supplied commands to subprocess.Popen.

Vulnerability

Description

CVE-2023-41334 is a remote code execution vulnerability in the Astropy core package version 5.3.2. The flaw resides in the TransformGraph().to_dot_graph function, where improper input validation in the savelayout argument allows a malicious user to supply a command or script file path. This value is placed as the first element in a list of arguments passed to subprocess.Popen, leading to execution of the attacker-controlled command despite subsequent errors being raised [1][4].

Exploitation

An attacker can exploit this by providing a shell script or command as the savelayout parameter when calling to_dot_graph. The supplied value becomes the first argument in the subprocess call, which is executed before the dot graph processing fails. A proof-of-concept demonstrates that a script placed in /tmp/script is run, writing a file with attacker-controlled content, even though a Python TypeError occurs from the subsequent communicate() call [4]. No special privileges are required beyond calling the vulnerable function.

Impact

Successful exploitation enables arbitrary code execution on the user's machine with the privileges of the Astropy process. An attacker could use this to run malicious scripts, install malware, or exfiltrate data. The impact is limited only by the attacker's ability to invoke the vulnerable function, for example through a crafted input in a Python script or interactive session [1][4].

Mitigation

Version 5.3.3 of the Astropy core package patched this vulnerability by fixing the input validation in to_dot_graph. Users should upgrade to version 5.3.3 or later immediately. No workarounds other than avoiding the use of savelayout with untrusted input are available for versions prior to 5.3.3 [1][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
astropyPyPI	< 5.3.3	5.3.3

Affected products

Astropy/astropyllm-create
Range: =5.3.2
ghsa-coords
pkg:pypi/astropy
Range: < 5.3.3
astropy/astropyv5
Range: = 5.3.2

Patches

22057d37b131

MNT: Explicit option for savelayout in to_dot_graph

https://github.com/astropy/astropyP. L. LimAug 27, 2023via ghsa

commit

1 file changed · +16 −2

astropy/coordinates/transformations.py+16 −2 modified

@@ -492,7 +492,7 @@ def to_dot_graph(
         savefn : None or str
             The file name to save this graph to or `None` to not save
             to a file.
-        savelayout : str
+        savelayout : {"plain", "dot", "neato", "fdp", "sfdp", "circo", "twopi", "nop", "nop2", "osage", "patchwork"}
             The graphviz program to use to layout the graph (see
             graphviz_ for details) or 'plain' to just save the DOT graph
             content. Ignored if ``savefn`` is `None`.
@@ -571,7 +571,19 @@ def to_dot_graph(
             if savelayout == "plain":
                 with open(savefn, "w") as f:
                     f.write(dotgraph)
-            else:
+            # Options from https://graphviz.org/docs/layouts/
+            elif savelayout in (
+                "dot",
+                "neato",
+                "fdp",
+                "sfdp",
+                "circo",
+                "twopi",
+                "nop",
+                "nop2",
+                "osage",
+                "patchwork",
+            ):
                 args = [savelayout]
                 if saveformat is not None:
                     args.append("-T" + saveformat)
@@ -587,6 +599,8 @@ def to_dot_graph(
 
                 with open(savefn, "w") as f:
                     f.write(stdout)
+            else:
+                raise NotImplementedError(f'savelayout="{savelayout}" is not supported')
 
         return dotgraph

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h2x6-5jx5-46hfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-41334ghsaADVISORY
github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.pyghsax_refsource_MISCWEB
github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5ghsax_refsource_MISCWEB
github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hfghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000