pyinstaller 4.1 vulnerabilities

Known vulnerabilities in the pyinstaller package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Arbitrary Code Injection pyinstaller is a package that bundles a Python application and all its dependencies into a single package Affected versions of this package are vulnerable to Arbitrary Code Injection in the `bootstrap` process. An attacker can achieve arbitrary code execution by placing malicious files or directories in the same location as a vulnerable PyInstaller application. When the application starts, it can be tricked into loading and running the attacker's Python code due to how PyInstaller handles `sys.path` and attempts to load an optional bytecode decryption module. If the application runs with elevated privileges, this can lead to local privilege escalation. This exploit works in both "onedir" and "onefile" modes, but only if the optional bytecode encryption feature was not enabled during the application's build. Notes: This is only exploitable if the filesystem supports creation of files/directories that contain '?' in their name (i.e., non-Windows systems) and the attacker is able to determine the offset at which the PYZ archive is embedded in the executable. How to fix Arbitrary Code Injection? Upgrade `pyinstaller` to version 6.0.0 or higher.	[,6.0.0)
H Race Condition pyinstaller is a package that bundles a Python application and all its dependencies into a single package Affected versions of this package are vulnerable to Race Condition when processes are spawned concurrently from multiple threads. This issue particularly affects the "spawn" method of multiprocessing, which is not thread-safe on Linux. Note This only affects Linux users. How to fix Race Condition? Upgrade `pyinstaller` to version 5.8.0 or higher.	[,5.8.0)
M Execution with Unnecessary Privileges pyinstaller is a package that bundles a Python application and all its dependencies into a single package Affected versions of this package are vulnerable to Execution with Unnecessary Privileges. When the `tempfile.mkdtemp` function is used, it creates a temporary directory that should only be accessible by the creating user ID. However, on Windows systems, the `0o700 POSIX` permissions mask has no effect, leading to potential security issues. An attacker with local access can interfere with the application by modifying the contents of the temporary directory if it is located in a system-wide location and the application is running in privileged mode with developer mode enabled. This is only exploitable if the temporary directory base is relocated to a system-wide location (e.g., `c:\temp`) and developer mode is enabled on the system. How to fix Execution with Unnecessary Privileges? Upgrade `pyinstaller` to version 5.13.1 or higher.	[,5.13.1)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

pyinstaller is a package that bundles a Python application and all its dependencies into a single package

Affected versions of this package are vulnerable to Arbitrary Code Injection in the bootstrap process. An attacker can achieve arbitrary code execution by placing malicious files or directories in the same location as a vulnerable PyInstaller application. When the application starts, it can be tricked into loading and running the attacker's Python code due to how PyInstaller handles sys.path and attempts to load an optional bytecode decryption module. If the application runs with elevated privileges, this can lead to local privilege escalation. This exploit works in both "onedir" and "onefile" modes, but only if the optional bytecode encryption feature was not enabled during the application's build.

Notes: This is only exploitable if the filesystem supports creation of files/directories that contain '?' in their name (i.e., non-Windows systems) and the attacker is able to determine the offset at which the PYZ archive is embedded in the executable.

How to fix Arbitrary Code Injection?

Upgrade pyinstaller to version 6.0.0 or higher.

[,6.0.0)

Race Condition

pyinstaller is a package that bundles a Python application and all its dependencies into a single package

Affected versions of this package are vulnerable to Race Condition when processes are spawned concurrently from multiple threads. This issue particularly affects the "spawn" method of multiprocessing, which is not thread-safe on Linux.

Note

This only affects Linux users.

How to fix Race Condition?

Upgrade pyinstaller to version 5.8.0 or higher.

[,5.8.0)

Execution with Unnecessary Privileges

pyinstaller is a package that bundles a Python application and all its dependencies into a single package

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges. When the tempfile.mkdtemp function is used, it creates a temporary directory that should only be accessible by the creating user ID. However, on Windows systems, the 0o700 POSIX permissions mask has no effect, leading to potential security issues. An attacker with local access can interfere with the application by modifying the contents of the temporary directory if it is located in a system-wide location and the application is running in privileged mode with developer mode enabled. This is only exploitable if the temporary directory base is relocated to a system-wide location (e.g., c:\temp) and developer mode is enabled on the system.

How to fix Execution with Unnecessary Privileges?

Upgrade pyinstaller to version 5.13.1 or higher.

[,5.13.1)

pyinstaller@4.1 vulnerabilities

PyInstaller bundles a Python application and all its dependencies into a single package.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?