{"id":"USN-8344-1","summary":"python-pip vulnerabilities","details":"It was discovered that pip incorrectly handled TLS certificate\nverification in session connections. If a session was first used with\ncertificate verification disabled, subsequent requests to the same host\nwould also skip verification regardless of the session's current settings.\nA remote attacker could possibly use this issue to perform a machine-in-the-middle\nattack and expose sensitive information. (CVE-2024-35195)\n\nIt was discovered that pip's bundled urllib3 library did not limit the\nnumber of decompression steps when processing HTTP responses. A remote\nattacker could possibly use this issue to cause pip to consume excessive resources,\nleading to a denial of service. (CVE-2025-66418)\n\nIt was discovered that pip's bundled urllib3 library improperly\nhandled streaming decompression of highly compressed data. A remote\nattacker could possibly use this issue to cause pip to consume excessive resources,\nleading to a denial of service. (CVE-2025-66471)","modified":"2026-05-29T23:15:07.262348862Z","published":"2026-05-28T19:46:16Z","related":["UBUNTU-CVE-2024-35195","UBUNTU-CVE-2025-66418","UBUNTU-CVE-2025-66471"],"upstream":["UBUNTU-CVE-2024-35195","UBUNTU-CVE-2025-66418","UBUNTU-CVE-2025-66471"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8344-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-35195"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-66418"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-66471"}],"affected":[{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.0.2+dfsg-1ubuntu0.7+esm1"}]}],"versions":["20.3.4-4","21.3.1+dfsg-3","22.0.2+dfsg-1","22.0.2+dfsg-1ubuntu0.1","22.0.2+dfsg-1ubuntu0.2","22.0.2+dfsg-1ubuntu0.3","22.0.2+dfsg-1ubuntu0.4","22.0.2+dfsg-1ubuntu0.5","22.0.2+dfsg-1ubuntu0.6","22.0.2+dfsg-1ubuntu0.7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"python3-pip","binary_version":"22.0.2+dfsg-1ubuntu0.7+esm1"},{"binary_name":"python3-pip-whl","binary_version":"22.0.2+dfsg-1ubuntu0.7+esm1"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35195"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-66418"}],"ecosystem":"Ubuntu:Pro:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8344-1.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"24.0+dfsg-1ubuntu1.3+esm1"}]}],"versions":["23.2+dfsg-1","23.3+dfsg-1","24.0+dfsg-1","24.0+dfsg-1ubuntu1","24.0+dfsg-1ubuntu1.1","24.0+dfsg-1ubuntu1.2","24.0+dfsg-1ubuntu1.3"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"python3-pip","binary_version":"24.0+dfsg-1ubuntu1.3+esm1"},{"binary_name":"python3-pip-whl","binary_version":"24.0+dfsg-1ubuntu1.3+esm1"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35195"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-66418"}],"ecosystem":"Ubuntu:Pro:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8344-1.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:26.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fresolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"25.1.1+dfsg-1ubuntu2+esm1"}]}],"versions":["25.1.1+dfsg-1ubuntu2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"python3-pip","binary_version":"25.1.1+dfsg-1ubuntu2+esm1"},{"binary_name":"python3-pip-whl","binary_version":"25.1.1+dfsg-1ubuntu2+esm1"}]},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:26.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8344-1.json"}}],"schema_version":"1.7.5"}