CVE-2024-40647: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in getsentry sentry-python
A vulnerability in sentry-python SDK versions prior to 2. 8. 0 causes environment variables to be unintentionally passed to subprocesses despite attempts to restrict them using the env={} argument. This occurs due to a bug in the Stdlib integration, which is enabled by default. The issue can lead to exposure of sensitive environment information to unauthorized subprocesses. The vulnerability has been fixed in version 2. 8. 0. Users are advised to upgrade to the latest SDK version or disable all default integrations if upgrading is not feasible and environment variable exposure is a concern.
AI Analysis
Technical Summary
The sentry-python SDK before version 2.8.0 contains a bug where environment variables are passed to subprocesses even when the subprocess call explicitly sets env={} to prevent this. This behavior is caused by the Stdlib integration enabled by default in the SDK. The unintended passing of environment variables can expose sensitive information to subprocesses that should not receive it. The issue is tracked as CVE-2024-40647 and classified under CWE-200 (Exposure of Sensitive Information). The vulnerability was patched in pull request #3251 and included in sentry-sdk version 2.8.0.
Potential Impact
Sensitive environment variables may be exposed to subprocesses spawned by applications using vulnerable versions of sentry-python SDK. This exposure could lead to unauthorized access to sensitive data contained in environment variables. The CVSS score of 5.3 (medium severity) reflects that the attack vector requires local access with high privileges and no user interaction, and the impact is limited to confidentiality without affecting integrity or availability.
Mitigation Recommendations
A fix is available in sentry-python SDK version 2.8.0. Users should upgrade to version 2.8.0 or later to resolve this vulnerability. If upgrading is not possible, users can mitigate the risk by disabling all default integrations in the SDK to prevent environment variables from being passed to subprocesses. There is no indication that the vulnerability is mitigated by default or that no action is required.
CVE-2024-40647: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in getsentry sentry-python
Description
A vulnerability in sentry-python SDK versions prior to 2. 8. 0 causes environment variables to be unintentionally passed to subprocesses despite attempts to restrict them using the env={} argument. This occurs due to a bug in the Stdlib integration, which is enabled by default. The issue can lead to exposure of sensitive environment information to unauthorized subprocesses. The vulnerability has been fixed in version 2. 8. 0. Users are advised to upgrade to the latest SDK version or disable all default integrations if upgrading is not feasible and environment variable exposure is a concern.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The sentry-python SDK before version 2.8.0 contains a bug where environment variables are passed to subprocesses even when the subprocess call explicitly sets env={} to prevent this. This behavior is caused by the Stdlib integration enabled by default in the SDK. The unintended passing of environment variables can expose sensitive information to subprocesses that should not receive it. The issue is tracked as CVE-2024-40647 and classified under CWE-200 (Exposure of Sensitive Information). The vulnerability was patched in pull request #3251 and included in sentry-sdk version 2.8.0.
Potential Impact
Sensitive environment variables may be exposed to subprocesses spawned by applications using vulnerable versions of sentry-python SDK. This exposure could lead to unauthorized access to sensitive data contained in environment variables. The CVSS score of 5.3 (medium severity) reflects that the attack vector requires local access with high privileges and no user interaction, and the impact is limited to confidentiality without affecting integrity or availability.
Mitigation Recommendations
A fix is available in sentry-python SDK version 2.8.0. Users should upgrade to version 2.8.0 or later to resolve this vulnerability. If upgrading is not possible, users can mitigate the risk by disabling all default integrations in the SDK to prevent environment variables from being passed to subprocesses. There is no indication that the vulnerability is mitigated by default or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-07-08T16:13:15.512Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de30ee29bf47b503a5814
Added to database: 6/1/2026, 7:52:46 PM
Last enriched: 6/1/2026, 8:04:33 PM
Last updated: 6/2/2026, 4:59:58 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.