CVE-2025-55037: TkEasyGUI Vulnerable to OS Command Injection

September 5, 2025

Improper neutralization of special elements used in an OS command (‘OS Command Injection’) issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

References

github.com/advisories/GHSA-hfrj-3w3g-jv32
github.com/kujirahand/tkeasygui-python
github.com/kujirahand/tkeasygui-python/releases/tag/v1.0.22
jvn.jp/en/jp/JVN48739895
nvd.nist.gov/vuln/detail/CVE-2025-55037

Code Behaviors & Features

Detect and mitigate CVE-2025-55037 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →