Back

Pip Vulnerabilities Lead to Regression and Potential Attacks

Severity: Medium (Score: 57.8)

Sources: Ubuntu, launchpad.net

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: ubuntu, regression, usn-8344-1, vulnerabilities, patches, cve-2025-66471, certificate

Severity indicators: vulnerabilities, CVE:CVE-2025-66471

Summary

On May 29, 2026, Ubuntu announced a regression in pip due to patches for CVE-2025-66471, which were initially intended to fix vulnerabilities in pip on Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The regression caused issues with TLS certificate verification, potentially allowing remote attackers to perform machine-in-the-middle attacks and expose sensitive information (CVE-2024-35195). Additionally, pip's bundled urllib3 library was found to improperly handle decompression, leading to denial of service vulnerabilities (CVE-2025-66418, CVE-2025-66471). The patches for CVE-2025-66471 have been temporarily reverted pending further investigation. Users are advised to remain vigilant as the vulnerabilities could impact systems using pip for package management. Key Points: • Pip's regression affects Ubuntu 22.04, 24.04, and 26.04 LTS due to reverted patches. • TLS certificate verification flaws could enable machine-in-the-middle attacks. • Denial of service vulnerabilities exist in pip's urllib3 library, affecting resource consumption.

Detailed Analysis

**Impact** Users of pip on Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS are affected by vulnerabilities that could lead to exposure of sensitive information and denial of service conditions. The issues impact software development and deployment environments relying on pip for Python package management, potentially affecting sectors dependent on secure software supply chains globally. Data at risk includes sensitive information intercepted via man-in-the-middle attacks due to improper TLS verification. **Technical Details** The primary attack vector involves pip’s incorrect handling of TLS certificate verification in session connections (CVE-2024-35195), allowing attackers to bypass certificate checks after an initial disabled verification. Additional vulnerabilities in pip’s bundled urllib3 library (CVE-2025-66418, CVE-2025-66471) enable denial of service through resource exhaustion caused by unlimited decompression steps and improper streaming decompression of highly compressed data. These issues occur during the delivery and exploitation phases of the kill chain. No specific IOCs or malware/tools are provided. **Recommended Response** Apply the latest Ubuntu security updates once patches for CVE-2025-66471 are reissued, as the initial fix was reverted due to regression. Until then, monitor pip usage for unusual TLS session behaviors and resource consumption anomalies. Harden configurations by ensuring TLS verification is enabled consistently in pip sessions and limit decompression resource usage where possible. Maintain vigilance for man-in-the-middle attack indicators in network traffic.

Source articles (3)

  • USN-8344-1: pip vulnerabilities — Ubuntu · 2026-05-28
    It was discovered that pip incorrectly handled TLS certificate verification in session connections. If a session was first used with certificate verification disabled, subsequent requests to the same…
  • USN-8344-2: pip regression — Ubuntu · 2026-05-29
    USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when using pip. The patches for CVE-2025-66471 h…
  • 2154576 — launchpad.net · 2026-05-29
    After the CVE-2025-66471 update, pip's vendored urllib3 truncates gzip-decoded responses. This is reproducible without network/TLS/PyPI: raw gzip bytes: 219 expected decoded bytes: 120069 requests .co…

Timeline

  • 2024-05-20 — CVE-2024-35195 published: Pip's TLS certificate verification flaw was disclosed, allowing potential machine-in-the-middle attacks.
  • 2025-12-05 — CVE-2025-66471 published: Vulnerability in pip's urllib3 library related to improper handling of decompression was disclosed.
  • 2025-12-05 — CVE-2025-66418 published: Another vulnerability in pip's urllib3 library was disclosed, allowing denial of service through resource exhaustion.
  • 2026-05-29 — Pip regression announced: Ubuntu confirmed that patches for CVE-2025-66471 caused a regression, reverting them pending investigation.

CVEs

  • CVE-2024-35195
  • CVE-2025-66418
  • CVE-2025-66471

Related entities

  • Denial of Service (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Cwe-295 - Improper Certificate Validation (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • Pip (Platform)
  • PyPI (Platform)
  • Ubuntu Pro (Platform)
  • Urllib3 (Platform)
  • Python (Tool)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed