Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

🗓️ 02 Oct 2025 06:11:01Reported by MicrosoftType 
mscve
 mscve🔗 msrc.microsoft.com👁 1 Views

Pip uses the highest version for private extra index URLs, enabling tampering if the package is not on the public index.

Related
Detection
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Vulnerabilities exists in IBM Netezza Analytics - NPS Product
15 Jul 202515:44
ibm
IBM Security Bulletins		Security Bulletin: WML CE: pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index
17 Jul 202016:48
ibm
IBM Security Bulletins		Security Bulletin: Pip as used by IBM QRadar Advisor With Watson is vulnerable to multiple vulnerabilities (CVE-2019-20916, CVE-2021-3572, CVE-2018-20225)
15 Jun 202219:07
ibm
IBM Security Bulletins		Security Bulletin: IBM watsonx.data integration has several vulnerabilities due to open source packages (CVE-2018-20225, CVE-2025-6985, CVE-2025-54368)
20 Mar 202616:39
ibm
IBM Security Bulletins		Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python
19 Jun 202005:08
ibm
IBM Security Bulletins		Security Bulletin: IBM Maximo Application Suite - There is a vulnerability in Python used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2018-20225, CVE-2019-20916, CVE-2023-43804, CVE-2023-4807)
9 Sep 202407:08
ibm
IBM Security Bulletins		Security Bulletin: An issue was discovered in pip (all versions) because it installs the version with the highest version number, which affects IBM watsonx.data
25 Jul 202512:31
ibm
IBM Security Bulletins		Security Bulletin: Several vulnerabilities affect Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.0
29 Apr 202502:33
ibm
CBLMariner		CVE-2018-20225 affecting package python-pip 19.2-2
12 Jan 202509:15
cbl_mariner
Circl		CVE-2018-20225
8 May 202023:06
circl
Rows per page
Vulners
Node
microsoftcm1_python-pip_19.2-2Range<19.2-2

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2025 06:11Current
7High risk
Vulners AI Score7
CVSS 26.8
CVSS 3.17.8
EPSS0.03726
SSVC
package installer issueextra index urlprivate index exploithighest version installpublic index check
1