Environment variables injection in subprocess on Windows


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

On Windows, prevent passing invalid environment variables and command arguments to subprocess.Popen.

It is possible to inject an environment variable in subprocess on Windows if a user data is passed to a subprocess via environment variable.

Check for invalid environment (variable names containing ‘=’) and command arguments (containing ‘0’).


  • Disclosure date: 2017-06-22 (Python issue bpo-30730 reported)

Fixed In

Python issue

[security] Injecting environment variable in subprocess on Windows.

  • Python issue: bpo-30730
  • Creation date: 2017-06-22
  • Reporter: Serhiy Storchaka


Timeline using the disclosure date 2017-06-22 as reference: