CVE-2018-20225 – This CVE describes a dependency confusion vulne... (How to Fix)

Q: What is the severity of CVE-2018-20225?

CVE-2018-20225 has a CVSS score of 7.8 (HIGH). This CVE describes a dependency confusion vulnerability in pip where using --extra-index-url to install packages from private repositories can be exploited. Attackers can upload malicious packages with higher version numbers to public PyPI, causing pip to install the malicious version instead of the intended private package. This affects all pip users who use --extra-index-url with private package indexes.

📋 TL;DR

This CVE describes a dependency confusion vulnerability in pip where using --extra-index-url to install packages from private repositories can be exploited. Attackers can upload malicious packages with higher version numbers to public PyPI, causing pip to install the malicious version instead of the intended private package. This affects all pip users who use --extra-index-url with private package indexes.

💻 Affected Systems

Products:

pip

Versions: All versions

Operating Systems: All operating systems where pip is used

Default Config Vulnerable: ✅ No

Notes: Only affects users who use --extra-index-url option with private package repositories. Default pip configuration without --extra-index-url is not vulnerable.

📦 What is this software?

Pip by Pypa

View all CVEs affecting Pip →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via malicious package installation leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Installation of malicious packages containing backdoors, data exfiltration tools, or cryptocurrency miners on developer/build systems.

🟢

If Mitigated

No impact if proper package naming conventions and index configurations are used, or if private packages are published to public index with proper namespacing.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to upload a malicious package to PyPI with a higher version number than the private package. The vulnerability is well-documented with public proof-of-concept examples.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://pip.pypa.io/en/stable/news/

Restart Required: No

Instructions:

This is considered intended functionality by pip maintainers. No official patch exists. Users must implement secure configurations and workarounds.

🔧 Temporary Workarounds

Use --index-url instead of --extra-index-url

all

Specify only the private index URL using --index-url instead of adding it as an extra index

pip install --index-url https://private.pypi.org/simple/ package-name

Use pip's --trusted-host option

all

Explicitly trust only the private host when using --extra-index-url

pip install --extra-index-url https://private.pypi.org/simple/ --trusted-host private.pypi.org package-name

🧯 If You Can't Patch

Prefix all private package names with organization-specific identifiers (e.g., 'companyname-package') to avoid conflicts with public packages
Configure pip to always prefer the private index by setting it as the primary index in pip.conf or environment variables

🔍 How to Verify

Check if Vulnerable:

Check if your pip installation scripts or CI/CD pipelines use --extra-index-url with private repositories without proper package naming or index configuration.

Check Version:

pip --version

Verify Fix Applied:

Verify that private packages are being installed from the correct source by checking pip install logs or using 'pip show package-name' to see installation source.

📡 Detection & Monitoring

Log Indicators:

pip install commands using --extra-index-url
Package installations from unexpected sources (public PyPI when private was expected)
Failed package installations due to version conflicts

Network Indicators:

Unexpected connections to pypi.org during private package installations
Downloads of packages with suspicious names or versions

SIEM Query:

source="pip" AND ("--extra-index-url" OR "pypi.org") AND NOT "--trusted-host"

📊 Metadata

CVE ID: CVE-2018-20225

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: May 8, 2020

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1835736
https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html Third Party Advisory
https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E
https://pip.pypa.io/en/stable/news/ Release Notes,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1835736
https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html Third Party Advisory
https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E
https://pip.pypa.io/en/stable/news/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20225, you might also want to check these: