Security researcher RyotaK disclosed three flaws in PyPI, the most severe one could potentially lead to the compromise of the entire PyPI infrastructure.
Python Package Index (PyPI) is the official third-party software repository for Python. PyPI as an index allows users to search for packages by keywords or by filters against their metadata, such as free software license or compatibility with POSIX.
The flaw affects the combine-prs.yml workflow in pypa/warehouse, which includes the current source code of PyPI.
This workflow allows to collect pull requests that have branch names starting with dependabot and merge them into a single pull request.
The workflow fails to verify the pull request author, this means that anyone could create a pull request with a specific name and have the workflow to process it.
The workflow did not verify the pull request author, anyone could create a pull request with a specific name and have the workflow to process it. RyotaK pointed out that it is still not possible to execute code because the workflow only combines pull requests and the result is reviewed by a human operator that could detect and discard any malicious code.
RyotaK discovered a flaw in the code used for printing branch lists of pull requests, the issue could be exploited to execute commands and leak GitHub Access Token with write permission against the pypa/warehouse repository.
“In this line, combine-prs.yml prints branch lists of pull requests by using the following code. It’s a simple echo command, which looks fine at first glance, but it’s not safe due to the GitHub Actions’ behavior.” states the expler
run: |
echo "${{steps.fetch-branch-names.outputs.result}}"“Because this workflow used actions/checkout, .git/config contains secrets.GITHUB_TOKEN, which has the write permissions. So, by executing commands like cat .git/config, it’s possible to leak GitHub Access Token with write permission against the pypa/warehouse repository. As described above, if someone pushed changes to the main branch, it’ll trigger the automatic deployment to pypi.org.”
Once an attacker has obtained write permission to the repository, it will be able to execute arbitrary code on pypi.org.
Below the step by step procedure to execute arbitrary codes on pypi.org:
dependabot;cat$IFS$(echo$IFS'LmdpdA=='|base64$IFS'-d')/config|base64;sleep$IFS'10000';#4WIP)combine-prs.yml to be executedmain branchpypi.orgThe expert reported this vulnerability to Python’s security team that fixed it.
In an update provided on 31 July, the researcher @mrtc0 explained that the attack procedure above doesn’t work. RyotaK agreed and provided the following procedure:
attack procedure.
dependabot in pypa/warehouse`;github.auth().then(auth=>console.log(auth.token.split("")))//combine-prs.yml to be executedmain branchpypi.orgThe vulnerability discovered by the expert could have a significant impact to the Python ecosystem, the expert highlighted the risks of supply chain attacks.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, PyPI )
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…
Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…
Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…
Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…
Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…
This website uses cookies.