Homepage

pip@6.0.2 vulnerabilities

The PyPA recommended tool for installing Python packages.

  • latest version

    25.1.1

  • latest non vulnerable version

    25.1.1

  • first published

    16 years ago

  • latest version published

    2 months ago

  • licenses detected

  • View pip package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the pip package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Arbitrary Command Injection

    Affected versions of this package are vulnerable to Arbitrary Command Injection when installing a package from a Mercurial VCS URL. An attacker can inject arbitrary configuration options to the hg clone call via the --config option, which can modify how and which repository is installed. This is only exploitable when installing from Mercurial VCS URLs..

    How to fix Arbitrary Command Injection?

    Upgrade pip to version 23.3 or higher.

    [,23.3)
    • M
    Improper Input Validation

    Affected versions of this package are vulnerable to Improper Input Validation. Splitting on unicode separators in git references could be maliciously used to install a different revision on the repository.

    How to fix Improper Input Validation?

    Upgrade pip to version 21.1 or higher.

    [,21.1)
    • H
    Directory Traversal

    Affected versions of this package are vulnerable to Directory Traversal via _download_http_url in _internal/download.py. When a URL is given in an install command the Content-Disposition header can have ../ in a filename.

    How to fix Directory Traversal?

    Upgrade pip to version 19.2 or higher.

    [,19.2)
    Go back to all versions of this package