CVE-2023-31543 – This dependency confusion vulnerability in pipr... (How to Fix)

📋 TL;DR

This dependency confusion vulnerability in pipreqs allows attackers to execute arbitrary code by uploading malicious packages to a PyPI repository server. It affects users of pipreqs versions 0.3.0 through 0.4.11 who generate requirements.txt files from Python projects. Attackers can compromise systems during dependency resolution.

💻 Affected Systems

Products:

pipreqs

Versions: 0.3.0 to 0.4.11

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when pipreqs is used to scan Python projects and generate requirements.txt files, particularly when connecting to untrusted PyPI repositories.

📦 What is this software?

Pipreqs by Pipreqs Project

View all CVEs affecting Pipreqs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to steal data, install malware, or pivot to other systems.

🟠

Likely Case

Arbitrary code execution in the context of the user running pipreqs, potentially leading to credential theft, data exfiltration, or lateral movement.

🟢

If Mitigated

Limited impact if using private PyPI repositories with strict controls and verifying all dependencies before installation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control or compromise a PyPI repository server that the victim uses, or to poison public PyPI with malicious packages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.12

Vendor Advisory: https://github.com/bndr/pipreqs/pull/364

Restart Required: No

Instructions:

1. Update pipreqs using pip: pip install --upgrade pipreqs==0.4.12
2. Verify the version: pipreqs --version
3. Ensure all systems using pipreqs are updated.

🔧 Temporary Workarounds

Use private PyPI repository

all

Configure pipreqs to use only trusted, private PyPI repositories with strict package vetting.

export PIP_INDEX_URL=https://your-private-pypi/simple/

Disable pipreqs dependency resolution

all

Manually create requirements.txt files instead of using pipreqs automated scanning.

🧯 If You Can't Patch

Restrict network access to only trusted PyPI repositories using firewall rules or proxy configurations.
Run pipreqs in isolated containers or sandboxes with minimal privileges and no sensitive data access.

🔍 How to Verify

Check if Vulnerable:

Check pipreqs version: pipreqs --version. If version is between 0.3.0 and 0.4.11 inclusive, system is vulnerable.

Check Version:

pipreqs --version

Verify Fix Applied:

Verify pipreqs version is 0.4.12 or higher: pipreqs --version

📡 Detection & Monitoring

Log Indicators:

Unusual PyPI package downloads during pipreqs execution
Network connections to unexpected PyPI repositories
Process execution from pipreqs with suspicious arguments

Network Indicators:

Outbound connections to non-approved PyPI repositories during pipreqs runs
DNS queries for suspicious package names

SIEM Query:

process.name="pipreqs" AND network.destination.ip NOT IN (trusted_pypi_ips)

📊 Metadata

CVE ID: CVE-2023-31543

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: June 30, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe Exploit,Mitigation,Third Party Advisory
https://github.com/bndr/pipreqs/pull/364 Exploit,Mitigation,Patch,Vendor Advisory
https://gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe Exploit,Mitigation,Third Party Advisory
https://github.com/bndr/pipreqs/pull/364 Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31543, you might also want to check these: