{"api_version":"1","generated_at":"2026-04-23T02:15:53+00:00","cve":"CVE-2018-20225","urls":{"html":"https://cve.report/CVE-2018-20225","api":"https://cve.report/api/cve/CVE-2018-20225.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-20225","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-20225"},"summary":{"title":"CVE-2018-20225","description":"An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely","state":"PUBLISHED","assigner":"mitre","published_at":"2020-05-08 18:15:10","updated_at":"2026-04-15 21:17:00"},"problem_types":["CWE-20","n/a","CWE-20 CWE-20 Improper Input Validation"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E","name":"https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html","name":"https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Arbitrary code execution from pip's \"—extra-index-url\" | cowlicks","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pip.pypa.io/en/stable/news/","name":"https://pip.pypa.io/en/stable/news/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Vendor Advisory"],"title":"Release Notes — pip 19.0.2 documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1835736","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1835736","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"1835736 – (CVE-2018-20225) CVE-2018-20225 python-pip: when --extra-index-url option is used and package does not already exist in the public index, the installation of malicious package with arbitrary version number is possible.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2@%3Cgithub.arrow.apache.org%3E","name":"MLIST:[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-20225","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20225","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"20225","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pypa","cpe5":"pip","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2018","cve_id":"20225","cve":"CVE-2018-20225","epss":"0.017100000","percentile":"0.823630000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:55"},"legacy_qids":[{"cve":"CVE-2018-20225","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2018-20225","qid":"900087","title":"CBL-Mariner Linux Security Update for python-pip 19.2"},{"cve":"CVE-2018-20225","qid":"903110","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-pip (3692)"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T11:58:18.416Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://pip.pypa.io/en/stable/news/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"},{"name":"[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2018-20225","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-15T20:50:08.134320Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-15T20:50:17.582Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely"}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2020-06-01T16:05:34.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"https://pip.pypa.io/en/stable/news/"},{"tags":["x_refsource_MISC"],"url":"https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"},{"name":"[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}],"tags":["disputed"],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-20225","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://pip.pypa.io/en/stable/news/","refsource":"MISC","url":"https://pip.pypa.io/en/stable/news/"},{"name":"https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html","refsource":"MISC","url":"https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"},{"name":"[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2@%3Cgithub.arrow.apache.org%3E"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=1835736","refsource":"MISC","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2018-20225","datePublished":"2020-05-08T17:29:12.000Z","dateReserved":"2018-12-19T00:00:00.000Z","dateUpdated":"2026-04-15T20:50:17.582Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2020-05-08 18:15:10","lastModifiedDate":"2026-04-15 21:17:00","problem_types":["CWE-20","n/a","CWE-20 CWE-20 Improper Input Validation"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*","matchCriteriaId":"18E919ED-27F7-406C-9BC7-6C85F69FD182"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"20225","Ordinal":"1","Title":"CVE-2018-20225","CVE":"CVE-2018-20225","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"20225","Ordinal":"1","NoteData":"An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely","Type":"Description","Title":"CVE-2018-20225"},{"CveYear":"2018","CveId":"20225","Ordinal":"2","NoteData":"2020-05-08","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"20225","Ordinal":"3","NoteData":"2020-06-01","Type":"Other","Title":"Modified"}]}}}