Tuesday, April 29, 2025
HomeCyber Security NewsCritical Remote Code Execution Bugs Found in Python PyPI Repository

Critical Remote Code Execution Bugs Found in Python PyPI Repository

Published on

SIEM as a Service

Follow Us on Google News

Though PyPI has a security folio, it still, they don’t have any transparent policy for the vulnerability assessments. As recently, the operators of the official Python Package Index (PyPI) repository has eliminated 8 libraries that contain malicious code.

Here, the developers of PyPI have recently fixed the 3 most severe vulnerabilities, one of which allows a threat actor to take full control of the portal.

All these vulnerabilities were identified by a well-known Japanese cybersecurity analyst, RyotaK. And he’s the one who recently also reported a bug in Cloudflare CDNJS that allows any attackers to run malicious code on all the vulnerable websites.

- Advertisement - Google News

Apart from this, the analyst, RyotaK analyzed the PyPI code that is available on GitHub and he identified that if these three vulnerabilities were exploited by the hackers then they would be able to do the following things:-

  • Delete documentation files from other people’s projects.
  • Remove roles in other people’s projects.
  • run bash commands in the PyPI codebase itself using GitHub Actions.

Here is the list of three vulnerabilities and their defining amplification:-

Vulnerability in Legacy Document Deletion on PyPI

The security researcher detected this vulnerability, and this security flaw is exploitable in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI.

This security flaw allows a hacker to remove documentation for projects that are not under their control. While RyotaK disclosed this security flaw on 2021-07-25 through the security policy on PyPI[.]org, and as a bounty reward, he received $1000.

While just by adding a trailing slash to the project name used with “remove_by_prefix” in https://github.com/pypa/warehouse/pull/9839 through https://github.com/pypa/warehouse/pull/9839/commits/3afcac795619b0b06007d0fb179d3ca137ed43b7 this security flaw was patched.

Vulnerability in Role Deletion on PyPI

The security researcher detected this exploitable vulnerability, and this security flaw was detected in the mechanisms for deleting roles on PyPI.

This vulnerability allows an attacker to remove or delete all the roles for the projects that are not under their control. While apart from this, RyotaK disclosed this security flaw on 2021-07-26 through the security policy on PyPI[.]org, and as a bounty reward, he received $1000.

While just by adding a filter on the current project to the query for the role in https://github.com/pypa/warehouse/pull/9845 through https://github.com/pypa/warehouse/pull/9845/commits/7605bee1e77319000f71f5b60959a35c8e482161 this security flaw was patched.

Vulnerability in GitHub Actions workflow for PyPI

In a GitHub Actions workflow for PyPI’s source repository, the security researcher detected this exploitable severe vulnerability.

While this severe vulnerability could allow a threat actor to gain write permissions upon the pypa/warehouse repository. Apart from this, the security analyst, RyotaK disclosed this security flaw on 2021-07-27 through the security policy on PyPI[.]org, and as a bounty reward, he received $1000.

While just by matching against the PR creator username and not using an unnecessary echo in https://github.com/pypa/warehouse/pull/9846 through https://github.com/pypa/warehouse/pull/9846/commits/fb98c6bb4d68fb43944171214971f6c776f844ce and https://github.com/pypa/warehouse/pull/9846/commits/50bd16422889d653127d373c9615516bf883a394 this security flaw was patched.

Moreover, the third vulnerability was more critical than the others, since it allows an attacker to run commands in the PyPI infrastructure to collect tokens or other secrets from the codebase.

And not only that even later the threat actor could also use this to access and modify the PyPI code.

However, to appreciate the work of the security researcher, Ryotak the Python Software Foundation has already rewarded him $ 1,000 for each vulnerability that he detected and reported.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

ResolverRAT Targets Healthcare and Pharmaceutical Sectors Through Sophisticated Phishing Attacks

A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare...

Europol Launches Taskforce to Combat Violence-as-a-Service Networks

Europol has announced the launch of a powerful new Operational Taskforce (OTF), codenamed GRIMM, to...

JokerOTP Platform Linked to 28,000+ Phishing Attacks Dismantled

Law enforcement agencies from the UK and the Netherlands have dismantled the notorious JokerOTP...

Windows Server 2025 Gets Hotpatching Support Beginning July 1, 2025

Microsoft announced that hotpatching support for Windows Server 2025 will become generally available as...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

ResolverRAT Targets Healthcare and Pharmaceutical Sectors Through Sophisticated Phishing Attacks

A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare...

Europol Launches Taskforce to Combat Violence-as-a-Service Networks

Europol has announced the launch of a powerful new Operational Taskforce (OTF), codenamed GRIMM, to...

JokerOTP Platform Linked to 28,000+ Phishing Attacks Dismantled

Law enforcement agencies from the UK and the Netherlands have dismantled the notorious JokerOTP...