CVE: CVE-2022-2054 Vulnerability Type: CWE-77: Command Injection Severity: High (8.4) Registry: Pypi Affected Version: 0.9 Status: Fixed Disocclosure Bounty: $35 Fix Bounty: $6.25 Found by: who Killeddddb Description: - The function uses the function, which can lead to contextual code execution. - An attacker can gain access to the system and execute commands with the privileges of the running program by setting environment variables like , , or . - Example: CVE-2022-0845 in PyTorch-Lightning. Proof of Concept: - Set malicious payload: - Run: - Code gets executed. Impact: - Can execute code on the target system in the context of the user running the program. - Allows attackers to gain access to systems, read/write malicious files. Remediation: - Manually parse the environment variable and iterate over it to resolve the value of . Occurrences: - lines 108, 45, and 117. References: - Code Injection in GitHub repository prior to 1.6.0.