CVE-2023-31543
CRITICALpipreqs 0.3.0-0.4.11 - Dependency Confusion via PyPI Package Upload
Title source: llmDescription
A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server.
References (2)
Core 2
Core References
Exploit, Mitigation, Third Party Advisory
https://gist.github.com/adeadfed/ccc834440af354a5638f889bee34bafe
Exploit, Mitigation, Patch, Vendor Advisory
https://github.com/bndr/pipreqs/pull/364
Scores
CVSS v3
9.8
EPSS
0.0109
EPSS Percentile
60.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-427
Status
published
Products (2)
pipreqs_project/pipreqs
0.3.0 - 0.4.11
pypi/pipreqs
0.3.0 - 0.4.12PyPI
Published
Jun 30, 2023
Tracked Since
Feb 18, 2026