CVE-2026-42301
Command Injection in pyp2spec Prior to Version 0.14.1
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| befeleme | pyp2spec | to 0.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows arbitrary code execution on the build machine by exploiting improper input validation in pyp2spec, potentially compromising the confidentiality, integrity, and availability of the system.
Such a compromise could lead to unauthorized access or modification of sensitive data during the software build process, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity.
Specifically, if the build environment handles regulated data or is part of a pipeline that processes such data, this vulnerability could increase the risk of data breaches or unauthorized data manipulation, thereby affecting compliance.
Can you explain this vulnerability to me?
The vulnerability in pyp2spec versions before 0.14.1 involves improper input validation where PyPI package metadata, such as the summary field, was written directly into generated RPM spec files without escaping RPM macro directives.
When these spec files are processed by rpmbuild or other RPM tools, the unescaped macro directives can be evaluated and executed, allowing a malicious package to run arbitrary commands on the build machine.
This can be exploited through typosquatting or targeting packages under Fedora review, potentially compromising the packager's workstation and leading to malicious source commits.
The issue was fixed in version 0.14.1.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the build machine when a malicious package is processed by rpmbuild.
As a result, an attacker could compromise the packager's workstation, potentially gaining access to sensitive data, altering source code repositories with malicious commits, and disrupting the build process.
The CVSS score of 7.8 indicates a high severity with significant impacts on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves pyp2spec versions before 0.14.1 writing unescaped PyPI package metadata into RPM spec files, which can lead to code execution when rpmbuild processes these files.
To detect this vulnerability on your system, you should check the version of pyp2spec installed and inspect generated RPM spec files for unescaped RPM macro directives in metadata fields such as the summary.
Suggested commands include:
- Check pyp2spec version: `pyp2spec --version`
- Search generated spec files for suspicious macro directives in metadata fields, for example: `grep -E '%\{.*\}' /path/to/generated/specfile.spec`
- Review recent spec files for unusual or unexpected macro expansions that could indicate injected commands.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade pyp2spec to version 0.14.1 or later, where this vulnerability has been patched.
Until the upgrade is applied, avoid building RPMs from spec files generated by vulnerable versions of pyp2spec, especially those containing untrusted or external PyPI package metadata.
Additionally, review and sanitize any spec files generated by vulnerable versions before running rpmbuild to prevent execution of malicious macro directives.