BlogCareersContact Us
< Back to Blog

CTX package vulnerability – what you need to know

Dor Dali
 | May 25, 2022
 | Director of Information Security

Yesterday, serious issues were found with an independently produced update to the CTX package in Python, potentially affecting millions of users who unknowingly installed it. 

The original update and subsequent fallout unfolded over the course of a few days and were documented in multiple Reddit threads. Here’s everything you need to know. 

What is the vulnerability?

The library package CTX extends the built-in dictionary feature in Python. CTX is widely used by many developers and has been around for a while. In fact, it hasn’t been updated since 2014, with the original developer likely having abandoned the project. Nonetheless, it remains important to many developers, and has around a million downloads. 

Generally speaking, CTX is a very simple package. A minimal amount of code means that the attack surface is not large, and so the package should not represent significant risk. 

This all changed when, three days ago, a researcher posted on the r/python subreddit to say that they had released a new package for CTX. Significantly, he didn’t update the Github repository, instead publishing the new version to PyPi. This meant that users who are updating their Python packages to the latest versions also installed the new CTX. 

This new version is malicious since every time a user creates a new dictionary object in Python, all environment variables of the machine are sent to the new creator of CTX. This often includes sensitive data. 

The fact that the original Github repository wasn’t updated was spotted by commenters on the original Reddit thread, who raised concern over a new repository for CTX. 

And, yesterday, a Redditer posted that the new CTX code sends all data to a specific URL, different to the original. 

 

The original owner of CTX had probably let the original domain expire. The creator of the new version took over the domain and the PyPi data and was able to change the URL.

Does it affect me?

If you’re using Python and the CTX package and you’re not aware of the version you’re using, probably. 

It’s also worth noting that, after PyPi saw what had happened, they removed CTX from the repository. As a result, many apps might break. 

Has it been actively exploited in the wild?

Yes. The malicious package has been available since May 14th. 

How do you fix it?

If you are using the CTX library or using a dependency that is using the library, we recommend that you remove it immediately.

Wherever a vulnerability comes from, get ahead of the game with Vulcan Remedy Cloud – the world’s largest vulnerability database dedicated exclusively to remediation to give you quick access to the fixes you need, matching your prioritized vulnerabilities with the right remedies to own your risk.

 

About the Author

Dor Dali

Dor is a cyber security expert with years of experience in security research and security program management, He is very enthusiastic about all things security and holds a deep understanding and knowledge in the fields of web applications, product and infrastructure security.

People also read

How to fix the zero day CVE-2022-22620 vulnerability

Read More >

SANS Cloud Security Survey 2022 – highlights

Read More >

5 Azure Security Tools You Should Know About

Read More >

CIS Benchmarks and system hardening: an introduction

Read More >

Microsoft zero day, More Musk drama, and more: first officer’s log – week 3

Read More >
< Back to Blog
Did you find this interesting? Share it with others: