Pip Vulnerabilities Lead to Regression and Potential Attacks

Pip Vulnerabilities Lead to Regression and Potential Attacks

First seen 29 May 2026, 22:28 UTC Ubuntulaunchpad.netLinuxsecurity 87% similarity 57.8

Article Content

Browse articles
ThreatCluster

On May 29, 2026, Ubuntu announced a regression in pip due to patches for CVE-2025-66471, which were initially intended to fix vulnerabilities in pip on Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The regression caused issues with TLS certificate verification, potentially allowing remote attackers to perform machine-in-the-middle attacks and expose sensitive information (CVE-2024-35195). Additionally, pip's bundled urllib3 library was found to improperly handle decompression, leading to denial of service vulnerabilities (CVE-2025-66418, CVE-2025-66471). The patches for CVE-2025-66471 have been temporarily reverted pending further investigation. Users are advised to remain vigilant as the vulnerabilities could impact systems using pip for package management.

Key Points: • Pip's regression affects Ubuntu 22.04, 24.04, and 26.04 LTS due to reverted patches. • TLS certificate verification flaws could enable machine-in-the-middle attacks. • Denial of service vulnerabilities exist in pip's urllib3 library, affecting resource consumption.

ThreatCluster AI

Timeline

2024-05-20
CVE-2024-35195 published
Pip's TLS certificate verification flaw was disclosed, allowing potential machine-in-the-middle attacks.
Article 2
2025-12-05
CVE-2025-66471 published
Vulnerability in pip's urllib3 library related to improper handling of decompression was disclosed.
Article 1
2025-12-05
CVE-2025-66418 published
Another vulnerability in pip's urllib3 library was disclosed, allowing denial of service through resource exhaustion.
Article 1
2026-05-29
Pip regression announced
Ubuntu confirmed that patches for CVE-2025-66471 caused a regression, reverting them pending investigation.
Article 1

Community

Browse all →