Home / mailings [USN-7599-2] pip vulnerability
Posted on 26 June 2025
Ubuntu Security==========================================================================Ubuntu Security Notice USN-7599-2
June 26, 2025
python-pip vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
pip could be made to expose sensitive information over the network.
Software Description:
- python-pip: Python package installer
Details:
USN-7599-1 fixed vulnerabilities in python-urllib3. This update provides
the corresponding update for python-pip for CVE-2025-50181.
Original advisory details:
Jacob Sandum discovered that urllib3 handled redirects even when they were
explicitly disabled while using the PoolManager. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2025-50181)
Illia Volochii discovered that urllib3 incorrectly handled retry and
redirect parameters when using Node.js. An attacker could possibly use this
issue to obtain sensitive information. This issue only affected Ubuntu
25.04. (CVE-2025-50182)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
python3-pip 25.0+dfsg-1ubuntu0.1
Ubuntu 24.10
python3-pip 24.2+dfsg-1ubuntu0.2
Ubuntu 24.04 LTS
python3-pip 24.0+dfsg-1ubuntu1.2
Ubuntu 22.04 LTS
python3-pip 22.0.2+dfsg-1ubuntu0.6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7599-2
https://ubuntu.com/security/notices/USN-7599-2
CVE-2025-50181
Package Information:
https://launchpad.net/ubuntu/+source/python-pip/25.0+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-pip/24.2+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-pip/24.0+dfsg-1ubuntu1.2
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.6
--===============4432860655683529054==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
