PyPI logo
PyPI-logo

Python team fixes bug that allowed takeover of PyPI repository

The Python security team has fixed today three vulnerabilities impacting the Python Package Index (PyPI), the official repository for Python libraries, including one that could have allowed a threat actor to take full control over the portal.

The three vulnerabilities were discovered by Japanese security researcher RyotaK, the same who earlier this month found a bug in Cloudflare's CDNJS service that could have allowed a third party to run malicious code on roughly 12% of today's websites.

In a new report published today, RyotaK said he analyzed PyPI, a web portal that serves as an official package index and repository for Python libraries. The site is basically a database, which works in conjunction with the official Python pip package installer, and allows developers and amateur programmers to easily search and install Python components for their projects.

In tune with the Python Software Foundation's mantra, the source code of the PyPI service is also available on GitHub. By analyzing this public codebase, RyotaK said he found three bugs that could be exploited to:

Delete other projects' documentation filesDelete another project permission rolesRun bash commands on the PyPI codebase itself via GitHub Actions workflows

Of the three, RyotaK described the first two as low-impact vulnerabilities that could "only be used for harassment at best."

However, a third bug was a critical issue as attackers could run commands on the PyPI's infrastructure to gather tokens or other secrets from the codebase that an attacker could later use to access and modify the PyPI code itself.

"I could modify top page of pypi.org," the researcher told The Record in an interview earlier today.

"It was [also] possible to modify the contents of packages, as pypa/warehouse contains a code for it," he added.

The Python Software Foundation has awarded the researcher $1,000 for each of his bug reports, along with a public acknowledgment of his work.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.