Vulnerability DatabaseCVE-2018-20225

CVE-2018-20225:
CBL Mariner vulnerability analysis and mitigation

Overview

A vulnerability was discovered in pip (all versions) where it installs the version with the highest version number when using the --extra-index-url option, even if the user intended to obtain a private package from a private index. The vulnerability (CVE-2018-20225) affects cases where the package does not already exist in the public index, allowing an attacker to put the package there with an arbitrary version number (NIST NVD, Cowlicks Blog).

Technical details

The vulnerability occurs specifically when --extra-index-url is used to point to a private PyPI server that has packages with names that are not claimed on the public PyPI. When this happens, pip needs to choose which PyPI to take the package from and simply selects the one with the higher version number. This becomes exploitable when someone is using a private PyPI with the --extra-index-url option and they are using a package on the private PyPI with a name they have not claimed on the public PyPI (Cowlicks Blog).

Impact

An attacker could potentially execute arbitrary code by taking control of an unclaimed package name on the public PyPI and replacing it with a malicious payload. The attacker could gain control of the public package name if it wasn't taken, or even if it was taken but unused (according to PEP 541). This particularly affects organizations using private Python packages that haven't claimed their package names on the public PyPI (Cowlicks Blog).

Mitigation and workarounds

Red Hat recommends using --index-url and not using --extra-index-url, OR explicitly setting --index-url when using --extra-index-url. The Python security team recommends using version-pinning and hash-pinning for deployments to avoid this issue. Another mitigation strategy is to claim and maintain ownership of private package names on the public PyPI (Red Hat Bugzilla, Cowlicks Blog).

Community reactions

Red Hat Product Security does not consider this to be a security vulnerability because per the pip documentation, this is intended behavior of pip when using the --extra-index-url flag. The issue was marked as WONTFIX. The Python security team acknowledged the issue but stated there was no path to fix it at the time. The vulnerability gained renewed attention in 2021 when it was rediscovered and received significant press coverage (Red Hat Bugzilla).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.8

Score

Published May 8, 2020

Severity HIGH

CNA Score N/A

Affected Technologies

CBL Mariner
MinimOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 82.3

Exploitation Probability (EPSS) 1.7

Affected packages and libraries

py3-pip
python-pip

Sources

NVD
CBL-Mariner
- CBL-Mariner 1.0 Severity HIGHNo FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 11, 12 Severity LOWNo FixAdded at: Mar 28, 2022
- Debian 13 Severity LOWNo FixAdded at: Jun 11, 2023
- Debian 14 Severity LOWNo FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Minimus
- MinimOS Severity HIGHHas FixAdded at: Oct 09, 2025
Red Hat Errata
- Red Hat 7, 8 Severity LOWNo FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related CBL Mariner vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-27135	HIGH	7.5	NixOS	nodejs24	No	Yes	Mar 18, 2026
CVE-2026-4111	HIGH	7.5	Rocky Linux	libarchive	No	Yes	Mar 13, 2026
CVE-2026-32775	HIGH	7.4	CBL Mariner	libexif-devel	No	Yes	Mar 16, 2026
CVE-2026-27459	HIGH	7.2	Python	rust-asn1+std-devel	No	Yes	Mar 18, 2026
CVE-2026-27448	LOW	1.7	Python	airflow-3	No	Yes	Mar 18, 2026