CVE-2016-10075 Tqdm Project CVE debrief

Who should care

Administrators and developers who run tqdm 4.4.1 or 4.10 on multi-user systems, developer workstations, CI agents, or build environments should care most—especially if those environments may open or inspect untrusted repositories.

Technical summary

NVD classifies the issue with CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-17. The vulnerable behavior is tied to tqdm._version and is triggered by malicious git log content in the current working directory, making this a local attack surface rather than a network-exposed one. The NVD CPE entries specifically list tqdm 4.4.1 and 4.10 as vulnerable.

Defensive priority

High. Treat this as urgent on any system that may process untrusted repositories or shared working directories, because successful exploitation can lead to full code execution with the privileges of the affected local user.

Recommended defensive actions

• Upgrade tqdm to a non-vulnerable release before using it in shared, developer, or automation environments.
• Remove or replace the specifically vulnerable versions 4.4.1 and 4.10 from golden images, dependency locks, and build caches.
• Avoid running affected tqdm versions in directories that can contain attacker-controlled or untrusted git repositories.
• Review scripts and CI jobs that import or initialize tqdm in repository workspaces, and constrain them to trusted inputs only.
• Verify downstream packages and environment images that vendor or pin tqdm, then redeploy after remediation.

Evidence notes

The supplied CVE description states that tqdm._version in versions 4.4.1 and 4.10 can execute arbitrary code via a crafted repo with a malicious git log in the current working directory. NVD lists the same affected versions in its CPE criteria and assigns CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with CWE-17. Public discussion is reflected in the Openwall oss-security thread dated 2016-12-28, and the CVE record was published on 2017-01-19.

Official resources