well... I know it's kind of not a complete answer but...
Do you really need to let people run code?
the reason I ask is because it's quite simple to pass an import statement even though it's blacklisted.
try running this:
x = "im"; y="port"; print(str(x+y+" module"))
Readthedocs
python-security.readthedocs.io › vulnerabilities.html
Python Security Vulnerabilities — Python Security 0.0 documentation
Status of Python branches lists Python branches which get security fixes. Total: 95 vulnerabilities. Table of Contents: Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple · Vulnerable Versions · Python issue · CVE-2023-27043 ·
Slashdot
developers.slashdot.org › story › 26 › 02 › 21 › 064205 › how-pythons-security-response-team-keeps-python-users-safe
How Python's Security Response Team Keeps Python Users Safe - Slashdot
February 22, 2026 - This week the Python Software Foundation explained how they keep Python secure. A new blog post recognizes the volunteers and paid Python Software Foundation staff on the Python Security Response Team (PSRT), who "triage and coordinate vulnerability reports and remediations keeping all Python users...
Microsoft Vulnerability Manager Security Recommendations - Python
Microsoft Vulnerability Manager Security Recommendations is advising to Update Python as it is currently version 3.7.7.0 however, when installing Python latest version (3.12.30) from https://www.python.org/downloads/ it is still reporting on Microsoft… More on learn.microsoft.com
1
0
May 1, 2024Does my Python code have any security issues with the new implemented approach? - Stack Overflow
I am currently responsible for implementing new functions, which are supposed to be secure. As we had recently code injections, I implemented an if block to black list all dangerous commands. #! /u... More on stackoverflow.com
Python Security Question
Hi First of all, I’m no software or programmer expert, but one of our users is wanting to use Python to write scripts to help with their “job” to test products (not IT related). After looking into it, I have concerns over the use of Python as it can do and control a lot of things these ... More on community.spiceworks.com
8
11
November 17, 2020How is Python used for security?
One good book I recommend is Violent Python -- it goes over how to use Python to do penetration testing, analyze network traffic, etc., and can give you some good insight into how Python can be used in the security industry.
More on reddit.com 25
164
July 1, 2015Videos
04:01
Python Security Best Practices Explained (2026 Guide) - YouTube
03:23
What Are Common Python Security Pitfalls? - Next LVL Programming ...
06:00
Why Python apps are becoming less secure - YouTube
Code security with Bandit and Safety — Perfect Python
53:51
Python Security Best Practices Against Vulnerabilities | Ukanah ...
5 Lesser Known Python Security Pitfalls
Avatao
avatao.com › home › python best practices and common security issues
Python best practices and common security issues -
June 12, 2025 - They say security starts with Python 3, and this one is a classic example of that. This function not simply takes user input but evaluates it immediately as well (like `eval()`). It works as expected with numbers, but once you start entering strings, you’ll see it tries to find variables with the submitted names and throws an error if it can’t.
Nocomplexity
nocomplexity.com › weakness-or-vulnerability
A Guide to Python Security Flaws: From Weakness to Vulnerability – NO Complexity
December 19, 2025 - A Python application using eval(input()) where an attacker can inject Python code to run arbitrary commands. The weakness (eval use) has become a vulnerability because it’s exploitable. Using assert statements in production code. The weakness (assert use) can become a vulnerability because ...
Microsoft Learn
learn.microsoft.com › en-us › answers › questions › 1661948 › microsoft-vulnerability-manager-security-recommend
Microsoft Vulnerability Manager Security Recommendations - Python - Microsoft Q&A
May 1, 2024 - Microsoft Vulnerability Manager Security Recommendations is advising to Update Python as it is currently version 3.7.7.0 however, when installing Python latest version (3.12.30) from https://www.python.org/downloads/ it is still reporting on Microsoft…
Snyk
snyk.io › blog › python-security-best-practices-cheat-sheet
Python security best practices cheat sheet | Snyk
September 27, 2021 - To ensure that your project is sustainable and you do not expose yourself to unnecessary Python security and legal risks, scan and fix license and vulnerability issues in your project’s dependencies.
Top answer 1 of 2
1
well... I know it's kind of not a complete answer but...
Do you really need to let people run code?
the reason I ask is because it's quite simple to pass an import statement even though it's blacklisted.
try running this:
x = "im"; y="port"; print(str(x+y+" module"))
2 of 2
1
The blacklist approach is inherently flawed. By it's nature, Python has a surprisingly large surface area, and you will forever be at the mercy of having to vet every possible built-in command, along with each and every side effect of the built-ins. Not to mention, I assume the real script you're using will bring in some library, itself a protentional security concern.
For instance:
__builtins__.__dict__'Exec'.lower())")
This bypasses your checks, and lets the user call exec and import. This is not the only way to bypass your checks. There are others.
There isn't really a way to vet code to verify its safe automatically. I'd be hard pressed to imagine a scenario like this where I let users run code at all in an elevated environment.
Top answer 1 of 8
11
Hi
First of all, I’m no software or programmer expert, but one of our users is wanting to use Python to write scripts to help with their “job” to test products (not IT related).
After looking into it, I have concerns over the use of Python as it can do and control a lot of things these employees should not have access too.
I have read it can communicate to Cisco Switches, Servers, or other PCs.
So, from a security point of view of protecting my network and not allowing access, how secure is the use of Python?
2 of 8
2
you’ll still creds to get into the infrastructure… what about Powershell? then AD only requires read access to get a huge amount of information about your company’s systems and users.
Not more of less an issues than anything else … imho
Black Duck
blackduck.com › blog › python-security-best-practices.html
Six Python Security Best Practices for Developers | Black Duck Blog
March 18, 2024 - Another advantage of Python is its big community that takes care of reported security flaws quickly. If you have questions about the current state of Python vulnerabilities, this page should provide some answers. It’s important to mention that Python versions are not fully compatible with each other—there are differences that will not allow you to run code you wrote in Python 2.x with Python 3.x versions. This raises many issues for developers, as it requires them to rewrite a lot of code in order to move to the later version of Python.
Cisco Blogs
blogs.cisco.com › cisco blogs › developer › 5 python security traps you need to avoid
5 Python Security Traps You Need to Avoid
March 30, 2022 - As example Python library, the Requests package (who doesn’t use this one?) before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. ... This vulnerability can be fixed by updating (and testing!) all the packages for which updates are available. (DUH!) You can also use tools to help with this after the fact: Static application security testing (SAST) – static test that happens without executing the code.
Worktribe
uwe-repository.worktribe.com › output › 10623319 › static-analysis-of-security-issues-of-the-python-packages-ecosystem
Static analysis of security issues of the Python packages ecosystem
April 16, 2023 - The most problematic areas have been improper input validation and denial of service attacks. A hybrid scanning tool that combines the three scanners bandit, snyk and dlint, which provide a clear report of the code vulnerability, is also described. ... Performance of vehicle ad-hoc networks ...
Ubuntu
ubuntu.com › security › notices › USN-6891-1
USN-6891-1: Python vulnerabilities | Ubuntu security notices | Ubuntu
July 11, 2024 - It was discovered that Python incorrectly handled certain crafted zip files. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2024-0450) ...
Codethink
codethink.co.uk › articles › 2023 › pypi-safety
PyPI Security: How to Safely Install Python Packages
PyPI is a popular platform for sharing Python libraries. This article offers tips for safe use, considering recent malware attacks on the platform.
Assured
assured.co.uk › interviews, features, and insights › what’s wrong with open source, and how to fix it
What’s Wrong with Open Source, and How to Fix It • Assured
January 21, 2025 - There are over 12 million of these data points; providing a useful analysis of how FOSS is used, and where security risk is most pronounced. Among the main cybersecurity risks outlined in the report are: Despite Python 3 coming online in 2008, in some disciplines like data analysis and computer graphics, over a quarter of Python developers use the older version.
Ubuntu
ubuntu.com › security › notices › USN-7180-1
USN-7180-1: Python vulnerabilities | Ubuntu security notices | Ubuntu
It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cause a crash.
Amazon UK
amazon.co.uk › Mastering-Python-Networking-Security-networking › dp › 1788992512
Mastering Python for Networking and Security: Leverage Python scripts and libraries to overcome networking and security issues: Amazon.co.uk: Ortega, José Manuel: 9781788992510: Books
Mastering Python for Networking and Security: Leverage Python scripts and libraries to overcome networking and security issues: Amazon.co.uk: Ortega, José Manuel: 9781788992510: Books
Buy Mastering Python for Networking and Security: Leverage Python scripts and libraries to overcome networking and security issues by Ortega, José Manuel (ISBN: 9781788992510) from Amazon's Book Store. Everyday low prices and free delivery on eligible orders.
Price £37.97
Vulert
vulert.com › vuln-db › rocky-linux-9-python3-9-186000
Moderate Security Update for Python 3.9: Addressing Vulnerabilities in Virtual Environment Activation and IPv6 Validation
The vulnerabilities in Python 3.9 include improper handling of virtual environment activation scripts, which do not quote paths, potentially leading to path traversal attacks (CVE-2024-9287).
Bright Security
brightsec.com › blog › sql-injection-python
SQL Injection in Python: Example and Prevention
August 10, 2025 - When you import a module into a Python application, the interpreter runs the code. This means you should be careful when importing modules. The PyPi package index is a great resource, but there is no verification that all the code in libraries listed there is secure.
Vulert
vulert.com › vuln-db › rocky-linux-8-python3-12-178272
Critical Security Flaws in Python 3.12: Addressing Unbounded Memory and Path Quoting Issues
However, recent security ... in Python 3.12 stem from two primary issues: first, the activation scripts for virtual environments (venv) do not properly ......
Amazon UK
amazon.co.uk › Python-Security-Networking-Leverage-applications › dp › 1837637555
Python for Security and Networking: Leverage Python modules and tools in securing your network and applications, 3rd Edition: Amazon.co.uk: Ortega, Jose Manuel: 9781837637553: Books
Python for Security and Networking: Leverage Python modules and tools in securing your network and applications, 3rd Edition: Amazon.co.uk: Ortega, Jose Manuel: 9781837637553: Books
Buy Python for Security and Networking: Leverage Python modules and tools in securing your network and applications, 3rd Edition 3 by Ortega, Jose Manuel (ISBN: 9781837637553) from Amazon's Book Store. Everyday low prices and free delivery on eligible orders.
Price £37.99