ansys-geometry-core OS Command Injection vulnerability
Description
PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PyAnsys Geometry's _start_program method uses subprocess with shell=True, allowing command injection leading to arbitrary code execution.
Vulnerability
Overview CVE-2024-29189 is a critical vulnerability in the PyAnsys Geometry library, a Python client for Ansys Geometry services. The flaw resides in the _start_program method within src/ansys/geometry/core/connection/product_instance.py. The method invokes a subprocess with shell=True, which is known to be dangerous as it can lead to shell injection attacks if user input is not properly sanitized [2]. This design allows an attacker to execute arbitrary commands on the host system.
Exploitation
To exploit this vulnerability, an attacker must be able to call the _start_program method directly, which may require local access or the ability to influence program inputs. The method does not sufficiently validate or sanitize the command string, so an attacker can inject shell metacharacters to execute unintended commands. The use of shell=True amplifies the risk, as it passes the command through the system shell [2].
Impact
Successful exploitation enables an attacker to perform arbitrary operations on the machine running the PyAnsys Geometry script. This could include data theft, installation of malware, or complete compromise of the system. The vulnerability has a high severity due to the potential for remote code execution, although it likely requires prior access to the environment.
Mitigation
The issue has been addressed in versions 0.3.3 and 0.4.12 of the PyAnsys Geometry library [1][3]. Users are strongly advised to update to these patched versions. The fix likely involves removing or securing the use of shell=True and properly escaping inputs. No workarounds have been provided, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansys-geometry-corePyPI | >= 0.3.0, < 0.3.3 | 0.3.3 |
ansys-geometry-corePyPI | >= 0.4.0, < 0.4.12 | 0.4.12 |
Affected products
3- Range: <0.3.3, <0.4.12
- ansys/pyansys-geometryv5Range: >= 0.3.0, < 0.3.3
Patches
2902071701c4ffeat: accept bandit advisories in-line for subprocess (#1077)
2 files changed · +9 −4
doc/changelog.d/1077.added.md+1 −0 added@@ -0,0 +1 @@ +feat: accept bandit advisories in-line for subprocess \ No newline at end of file
src/ansys/geometry/core/connection/product_instance.py+8 −4 modified@@ -23,7 +23,10 @@ import os import signal import socket -import subprocess + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +import subprocess # nosec B404 from ansys.tools.path import get_available_ansys_installations, get_latest_ansys_installation from beartype.typing import TYPE_CHECKING, Dict, List @@ -302,7 +305,7 @@ def prepare_and_start_backend( LOG.debug(f"Args: {args}") LOG.debug(f"Environment variables: {env_copy}") - instance = ProductInstance(_start_program(args, env_copy).pid) + instance = ProductInstance(__start_program(args, env_copy).pid) # Verify that the backend is ready to accept connections # before returning the Modeler instance. @@ -403,7 +406,7 @@ def _manifest_path_provider( raise RuntimeError(msg) -def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen: +def __start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen: """ Start the program where the path is the first item of the ``args`` array argument. @@ -420,7 +423,8 @@ def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Pop subprocess.Popen The subprocess object. """ - return subprocess.Popen( + # private method and controlled input by library - excluding bandit check. + return subprocess.Popen( # nosec B603 args, stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL,
f82346b9432bfix: prepare_and_start_backend is only available on Windows (#1076)
2 files changed · +4 −1
doc/changelog.d/1076.fixed.md+1 −0 added@@ -0,0 +1 @@ +fix: prepare_and_start_backend is only available on Windows \ No newline at end of file
src/ansys/geometry/core/connection/product_instance.py+3 −1 modified@@ -241,6 +241,9 @@ def prepare_and_start_backend( """ from ansys.geometry.core.modeler import Modeler + if os.name != "nt": # pragma: no cover + raise RuntimeError("Method 'prepare_and_start_backend' is only available on Windows.") + port = _check_port_or_get_one(port) installations = get_available_ansys_installations() if product_version != None: @@ -419,7 +422,6 @@ def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Pop """ return subprocess.Popen( args, - shell=os.name != "nt", stdin=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-38jr-29fh-w9vmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29189ghsaADVISORY
- bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.htmlghsax_refsource_MISCWEB
- github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.pyghsax_refsource_MISCWEB
- github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bcghsax_refsource_MISCWEB
- github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3fghsax_refsource_MISCWEB
- github.com/ansys/pyansys-geometry/pull/1076ghsax_refsource_MISCWEB
- github.com/ansys/pyansys-geometry/pull/1077ghsax_refsource_MISCWEB
- github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.