There is a MEDIUM severity vulnerability affecting CPython.

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the virtual environment creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Please see the linked CVE ID for the latest information on affected versions:

• https://www.cve.org/CVERecord?id=CVE-2024-9287
• https://github.com/python/cpython/pull/124712