How severe is GHSA-38jr-29fh-w9vm?

GHSA-38jr-29fh-w9vm has a CVSS score of 7.4/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-38jr-29fh-w9vm?

GHSA-38jr-29fh-w9vm affects the following packages: ansys-geometry-core (PyPI), ansys-geometry-core (PyPI). Ecosystems affected: PyPI.

How do I fix GHSA-38jr-29fh-w9vm?

Update ansys-geometry-core to 0.3.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-38jr-29fh-w9vm is resolved across your whole dependency graph.

How do I detect GHSA-38jr-29fh-w9vm in my PyPI dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ansys-geometry-core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-38jr-29fh-w9vm if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-38jr-29fh-w9vm?

O3 pinpoints whether GHSA-38jr-29fh-w9vm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-38jr-29fh-w9vm actively exploited in the wild?

No public exploit code has been indexed for GHSA-38jr-29fh-w9vm yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-38jr-29fh-w9vm?

GHSA-38jr-29fh-w9vm has an EPSS (Exploit Prediction Scoring System) score of 0.3%, placing it in the 25th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was GHSA-38jr-29fh-w9vm published, and has it been updated?

GHSA-38jr-29fh-w9vm was published on March 25, 2024 and was last updated on December 20, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐍 PyPI

GHSA-38jr-29fh-w9vm

HIGH

ansys-geometry-core OS Command Injection vulnerability

Also known asCVE-2024-29189

Published

Mar 25, 2024

Updated

Dec 20, 2025

Affected

2 pkgs

Patched

2 / 2

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.3%probability of exploitation in next 30 days

Lower Risk25th percentile+0.22%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected

🐍ansys-geometry-core🐍ansys-geometry-core

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

subprocess call with shell=True identified, security issue.

Code

On file src/ansys/geometry/core/connection/product_instance.py:

403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:
404     """
405     Start the program where the path is the first item of the ``args`` array argument.
406
407     Parameters
408     ----------
409     args : List[str]
410         List of arguments to be passed to the program. The first list's item shall
411         be the program path.
412     local_env : Dict[str,str]
413         Environment variables to be passed to the program.
414
415     Returns
416     -------
417     subprocess.Popen
418         The subprocess object.
419     """
420      return subprocess.Popen(
421         args,
422         shell=os.name != "nt",
423         stdin=subprocess.DEVNULL,
424         stdout=subprocess.DEVNULL,
425         stderr=subprocess.DEVNULL,
426         env=local_env,
427      )
428 
429

Upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the shell=True option.

CWE - 78

For more information see https://cwe.mitre.org/data/definitions/78.html

More information

Visit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.

Affected Packages

2 total 2 fixed

Ecosystem	Package	Vulnerable range	Fix
🐍PyPI	`ansys-geometry-core`	≥ 0.3.0&&< 0.3.3	0.3.3
🐍PyPI	`ansys-geometry-core`	≥ 0.4.0&&< 0.4.12	0.4.12

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ansys-geometry-core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ansys-geometry-core to 0.3.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-38jr-29fh-w9vm is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-38jr-29fh-w9vm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-38jr-29fh-w9vm. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

subprocess call with shell=True identified, security issue. #### Code On file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428): ``` 403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen: 404 """ 405 Start the program where the path is the first item of the ``args`` array argument. 406 407 Parameters 408 ---------- 409 args : List[str] 410 List of arguments to be passed to

O3 Security · Impact-Aware SCA

Is GHSA-38jr-29fh-w9vm in your dependencies?

O3 detects GHSA-38jr-29fh-w9vm across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works