View all vulnerabilities

CVE-2024-40647

Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Description

### Impact


The bug in Sentry's Python SDK >> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'
```

If you'd want to not pass any variables, you can set an empty dict:

```
>>> subprocess.check_output(["env"], env={})
b''
```

However, the bug in Sentry SDK

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
2.5
Score Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Affected Versions
sentry-sdk >= 2.0.0a1 < 2.8.0; sentry-sdk < 1.45.1
Severity
Low
Low
Low
Ecosystem
Python
Publish Date
July 18, 2024
Modified Date
June 6, 2025