Critical pip Vulnerabilities Expose TLS Bypass and DoS Risks

Ubuntu has released security updates addressing three vulnerabilities in pip, the widely-used Python package installer. These issues span certificate verification logic and HTTP response decompression, affecting both confidentiality and availability for organizations relying on pip for dependency management.

The vulnerabilities range from a session-level TLS bypass that persists across requests to resource exhaustion attacks via malicious HTTP responses. Development teams and DevOps practitioners should review and apply patches promptly to mitigate supply chain and infrastructure risks.

TLS Certificate Verification Bypass

• CVE-2024-35195: pip incorrectly handles TLS verification state across session requests
• If certificate verification is disabled on the first request to a host, subsequent requests reuse that state regardless of current settings
• Enables man-in-the-middle attacks and exposure of sensitive data in transit
• Particularly dangerous in mixed-trust environments where some requests intentionally disable verification

Decompression Resource Exhaustion

• CVE-2025-66418: urllib3 bundled with pip lacks limits on decompression steps during HTTP response processing
• CVE-2025-66471: Improper handling of streaming decompression for highly compressed payloads
• Both enable remote attackers to craft malicious responses triggering excessive CPU and memory consumption
• Results in denial-of-service conditions affecting pip operations and dependent build systems

Remediation and Impact

• Ubuntu security notice USN-8344-1 provides patched pip versions across supported releases
• Organizations should update pip and verify urllib3 versions in their dependency chains
• Supply chain tools and CI/CD pipelines using pip are primary targets for exploitation
• Recommend testing patches in non-production environments before broad deployment

Sources

• USN-8344-1: pip vulnerabilities