| Package | python-pip |
|---|---|
| Version | 9.0.1-2+deb9u3 (stretch), 18.1-5+deb10u1 (buster) |
| Related CVEs | CVE-2019-20916 CVE-2021-3572 CVE-2023-5752 CVE-2025-8869 |
Multiple vulnerabilities have been discovered in python-pip, the Python package installer.
CVE-2019-20916
Directory traversal is possible when a URL is given in an install command,
because a Content-Disposition header can have ../ in a filename.
This issue had been fixed in Stretch already via version 9.0.1-2+deb9u2 of
python-pip (DLA-2370-1).
CVE-2021-3572
A flaw exists in the way Unicode separators are handled in Git references.
CVE-2023-5752
When installing a package from a Mercurial VCS URL, arbitrary configuration
options could be injected to the "hg clone" call.
CVE-2025-8869
Pip's tar extraction doesn't check that symbolic links point to extraction
directory.
For Debian 10 buster, these problems have been fixed in version 18.1-5+deb10u1.
For Debian 9 stretch, these problems have been fixed in version 9.0.1-2+deb9u3.
We recommend that you upgrade your python-pip packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.