PyPI: duckdb

CVE-2024-41672

Safety vulnerability ID: SFTY-20240724-45619

Safety legacy ID: pyup.io-76355

Content in filesystem is accessible for reading using sniff_csv, even with enable_external_access=false.

PyPI

NVD

GHSA

Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

sniff_csv provides filesystem access even when enable_external_access is disabled in duckdb

Advisory

Content in filesystem is accessible for reading using sniff_csv, even with enable_external_access=false.

Affected Package

Affecting duckdb package, versions

>=1.0.0,<1.1.0

Also affects

---

How to Fix

Upgrade

duckdb

1.1.0

or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

https://getsafety.com/vulnerabilities/SFTY-20240724-45619/CVE-2024-41672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41672
https://github.com/advisories/GHSA-w2gf-jxc9-pf2q
https://github.com/duckdb/duckdb/security/advisories/GHSA-w2gf-jxc9-pf2q
https://nvd.nist.gov/vuln/detail/CVE-2024-41672
https://github.com/duckdb/duckdb/pull/13133
https://github.com/duckdb/duckdb/commit/c9b7c98aa0e1cd7363fe8bb8543a95f38e980d8a
https://github.com/pypa/advisory-database/tree/main/vulns/duckdb/PYSEC-2024-203.yaml
https://github.com/advisories/GHSA-w2gf-jxc9-pf2q

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more