Medium severity4.8NVD Advisory· Published May 3, 2024· Updated Apr 15, 2026
CVE-2024-34062
CVE-2024-34062
Description
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tqdmPyPI | >= 4.4.0, < 4.66.3 | 4.66.3 |
Patches
14e613f84ed2aMerge pull request from GHSA-g7vv-2v7x-gj9p
1 file changed · +22 −11
tqdm/cli.py+22 −11 modified@@ -21,23 +21,34 @@ def cast(val, typ): return cast(val, t) except TqdmTypeError: pass - raise TqdmTypeError(val + ' : ' + typ) + raise TqdmTypeError(f"{val} : {typ}") # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n') if typ == 'bool': if (val == 'True') or (val == ''): return True - elif val == 'False': + if val == 'False': return False - else: - raise TqdmTypeError(val + ' : ' + typ) - try: - return eval(typ + '("' + val + '")') - except Exception: - if typ == 'chr': - return chr(ord(eval('"' + val + '"'))).encode() - else: - raise TqdmTypeError(val + ' : ' + typ) + raise TqdmTypeError(val + ' : ' + typ) + if typ == 'chr': + if len(val) == 1: + return val.encode() + if re.match(r"^\\\w+$", val): + return eval(f'"{val}"').encode() + raise TqdmTypeError(f"{val} : {typ}") + if typ == 'str': + return val + if typ == 'int': + try: + return int(val) + except ValueError as exc: + raise TqdmTypeError(f"{val} : {typ}") from exc + if typ == 'float': + try: + return float(val) + except ValueError as exc: + raise TqdmTypeError(f"{val} : {typ}") from exc + raise TqdmTypeError(f"{val} : {typ}") def posix_pipe(fin, fout, delim=b'\\n', buf_size=256,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-g7vv-2v7x-gj9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34062ghsaADVISORY
- github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316nvdWEB
- github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9pnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJCghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC/nvd
News mentions
0No linked articles in our index yet.