Race Condition Affecting amici package, versions [,0.29.0)

Q: How to fix?

Upgrade amici to version 0.29.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-AMICI-8600633
published1 Jan 2025
disclosed1 Jan 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Jan 2025

CWE-362 (opens in a new tab)

How to fix?

Upgrade amici to version 0.29.0 or higher.

Overview

amici is an Advanced multi-language Interface to CVODES and IDAS

Affected versions of this package are vulnerable to Race Condition due to the use of shared static variables in multi-threaded contexts.

Exploiting this vulnerability is possible by triggering concurrent executions, leading to data corruption or unexpected behavior. The vulnerability arises from the eval_counter and root_buffer variables in solver.cpp and solver_cvodes.cpp not being thread-safe.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None