Arbitrary Code Execution in pip

Q: How to fix?

Upgrade pip to version 25.0 or higher.

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-PIP-8685043
published2 Feb 2025
disclosed1 Feb 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Feb 2025

NewCWE-94 (opens in a new tab)

How to fix?

Upgrade pip to version 25.0 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution by implanting a malicious wheel file in pip's installation directory, which will replace the module being installed and get executed during installation.

Note: The specific vulnerable behavior arises because pip._internal.self_outdated_check is loaded after a module is installed, which is fixed in the 25.0 release of pip. However, the assumption of a trusted environment and trusted install files is still maintained and measures must therefore be taken outside the scope of pip to fully secure it against local threats.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Arbitrary Code Execution Affecting pip package, versions [24.1b1,25.0)

Severity