pymanager Current Working Directory-Based Module Hijacking Vulnerability

A vulnerability in pymanager version 26.0 allows for arbitrary local code execution by manipulating the module import path. The issue arises because pymanager's alias wrapper sets the current working directory as the first entry in the module search path. This prioritization enables the execution of malicious modules placed in the current directory, instead of the intended ones, when commands are run through pymanager.

Impact

Exploitation of this vulnerability allows for arbitrary code execution using a malicious module placed in the current working directory, with no need for elevated privileges. The issue can be triggered during regular development activities, particularly in shared environments or when working with untrusted sources.

Reproduction

To reproduce this vulnerability, create a directory and navigate into it. Place a Python script named 'requests.py' in this directory that prints a success message. Then, create another script 'poc.py' that sets 'sys.path[0]' to the current working directory and imports the 'requests' module. When 'poc.py' is executed, the malicious 'requests.py' module will be imported instead of the legitimate one, demonstrating the module hijacking.

Remediation

Users can upgrade to pymanager version 26.1 or later to address this vulnerability.