Civil 3D Dynamo 2.15 Python 3.8 security risk?

We are just about to deploy Civil 3D 2023 at my company and today our ITdepartment contacted me because they had find a possible security risk because Python 3.8 is used in 2.15.

How have you handle this at your company?


1 Like

Hi Patrick,

Out of interest, what was their description of the security risk?

This post is a good read on a similar strain.

Cpy3 is in there. IT should be able to scan it and validate it is “OK”.

As to the nodes issue which is what the original conversation was about-

Dating myself “ACAD.VLX” was mere obfuscation… There is a likelihood - especially on GIT - to innocuously incorporate 3rd party libraries to support a project - finding out later that an added project contained trojans, malware, or other maleficence with complete access to systems behind firewalls after an update and compile.

The VLX was easy to spot - but I am unsure if Crowd Strike or other scanners would catch DLLs incorporated in packages behind our firewalls.

I understand the benefit of zero-touch, but we should be able to access the code VIA git or other resources to see the code in the background and compile fresh if need be. No one should be in the mindset to push the button that says “Run-me”, which is what effectively happens with these black-box nodes. Are the developers taking on risk and liability or is there an “as-is” disclaimer with every use or purchase? It is a risk, but I rather that be a calculated risk and have the opportunity to at least validate the code myself when incorporating it into a graph or routine.

I also have personal bias; Dynamo was meant to be an open platform for learning and exploration of coding and development to automate and expedite processes with macro-like code. Understanding how code works for those of us who code in Python is extremely helpful to be able to unwrap nodes and see what is going on under the hood and in many cases rework the base code. If everyone squirrels-away code- that learning is cut off at the knees.

Dynamo’s Security Vulnerability – BIM Extension goes over opening code from untrusted resouseces. Autodesk doesn’t have an official channel for trusted and untrusted- merely reputations on the forums for those creating and adding code and nodes.

Older discussions here: Custom packages - virus and malicous code risk? - #5 by Yna_Db

I understand a desire to monetize, but the risk can be great, weighing that against outright coding in the API in house or through a responsible/liable company is another matter.

1 Like

3.8 has no vulnerabilities I am aware of. 2.7 which is deployed with previous versions of Civil 3D may have some vulnerabilities, and is not maintained by the Python team anymore so that is more likely worth looking at closely.

If your IT team has a specific vulnerability concern please have them post the specifics here, or reach out to @jacob.small and @solamour directly via DM here.


Will do that. Thanks for your reply.
The interesting part is that we already use Dynamo in C3D 2021 and Revit 2021 but I have never heard anything likes this from IT before.

I will talk to them tomorrow.
Maybe we can book a meeting, @jacob.small and @solamour

I’m currently on paternity leave (My son joined us earthside 3x weeks ago! :baby: ) but am happy to chat in January 2023 if you still need it.

Essentially we will update CPython3’s versions to capture all security patch updates on each new version, and in extreme enough cases, will release a patch version of Dynamo.


Does that mean it is advised to uninstall previous versions of Civil 3D or remove the folders containing Dynamo dlls?

Nope - just that you need to be diligent as you are with any other software in your environment.

If you have any unpatched Revit or Civil 3D builds, or either from before 2019 I would personally classify those as a higher risk, but your infosec team should make these calls, not me.

Now we have done some research and found out that the issue is not in Civil 3D 2023, Dynamo and Python when you run script local.
The issue is when user connect to a website, the code be exposed ”outside” the application and we want to exchange information and in that moment a python code can cause security breach.

So… we will continue to deploy civil 3D 2023 :partying_face:
Thanks for your reply, @solamour and @jacob.small.
Congratulation to your baby, @solamour


Glad to hear you can continue to use Civil 3D and Dynamo :smiley: And thanks for the kind words Patrick.

1 Like