CVE-2023-31543: 
Python vulnerability analysis and mitigation

A dependency confusion vulnerability was discovered in pipreqs versions 0.3.0 to 0.4.11 (CVE-2023-31543). The vulnerability allows attackers to execute arbitrary code by uploading a crafted PyPI package to the chosen repository server. This critical vulnerability was discovered and reported in April 2023, affecting the package resolution mechanism in pipreqs (GitHub Advisory, NVD).

The vulnerability exists in pipreqs' remote dependency resolving mechanism (pipreqs/pipreqs.py#L447-449). The attack exploits mismatches between PyPI package names and their nested Python modules. Three conditions must be met for successful exploitation: 1) The PyPI package name must differ from its exported Python module names, 2) The exported module name to PyPI package name mapping must be absent from pipreqs' hard-coded mapping file, and 3) The exported module name must be available as a package name on PyPI. The vulnerability has a CVSS v3.1 score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on machines running Python code with requirements.txt files generated by vulnerable versions of pipreqs. This occurs during dependency installation when the attacker-controlled malicious package is executed (GitHub Advisory).

The vulnerability was patched in pipreqs version 0.4.13, released on April 14th, 2023. The fix includes an improved local dependency resolving mechanism that accounts for possible PyPI package and Python module name mismatches. Additionally, when using the remote resolving mechanism, the application now displays a warning message to ensure developers manually review the output (GitHub PR).