CVE-2018-20225

HIGH

pip - Arbitrary Package Installation via --extra-index-url

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20225. PoCs published by brabster.

AI-analyzed exploit summary The repository contains minimal code demonstrating CVE-2018-20225, with placeholder packages labeled 'malicious' and 'safe' but no functional exploit or payload. The 'malicious' package only prints a message and lacks actual exploit logic.

Description

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

Exploits (1)

nomisec STUB
by brabster · poc
https://github.com/brabster/cve-2018-20225

The repository contains minimal code demonstrating CVE-2018-20225, with placeholder packages labeled 'malicious' and 'safe' but no functional exploit or payload. The 'malicious' package only prints a message and lacks actual exploit logic.

Classification
Stub 80%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Python packages (CVE-2018-20225)
No auth needed
Prerequisites: Python environment · Ability to install Python packages
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.8
EPSS 0.0174
EPSS Percentile 74.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (1)
pypa/pip
Published May 08, 2020
Tracked Since Feb 18, 2026