1. Ubuntu Security Notices
  2. USN-8344-1

USN-8344-1: pip vulnerabilities

Publication date

28 May 2026

Overview

Several security issues were fixed in pip.

Releases

Packages

Details

It was discovered that pip incorrectly handled TLS certificate
verification in session connections. If a session was first used with
certificate verification disabled, subsequent requests to the same host
would also skip verification regardless of the session's current settings.
A remote attacker could possibly use this issue to perform a machine-in-the-middle
attack and expose sensitive information. (CVE-2024-35195)

It was discovered that pip's bundled urllib3 library did not limit the
number of decompression steps when processing HTTP responses. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66418)

It was discovered that pip's bundled urllib3 library improperly
handled streaming decompression of highly compressed data. A remote
attacker could possibly use this...

It was discovered that pip incorrectly handled TLS certificate
verification in session connections. If a session was first used with
certificate verification disabled, subsequent requests to the same host
would also skip verification regardless of the session's current settings.
A remote attacker could possibly use this issue to perform a machine-in-the-middle
attack and expose sensitive information. (CVE-2024-35195)

It was discovered that pip's bundled urllib3 library did not limit the
number of decompression steps when processing HTTP responses. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66418)

It was discovered that pip's bundled urllib3 library improperly
handled streaming decompression of highly compressed data. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66471)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
26.04 LTS resolute python3-pip –  25.1.1+dfsg-1ubuntu2+esm1  
python3-pip-whl –  25.1.1+dfsg-1ubuntu2+esm1  
24.04 LTS noble python3-pip –  24.0+dfsg-1ubuntu1.3+esm1  
python3-pip-whl –  24.0+dfsg-1ubuntu1.3+esm1  
22.04 LTS jammy python3-pip –  22.0.2+dfsg-1ubuntu0.7+esm1  
python3-pip-whl –  22.0.2+dfsg-1ubuntu0.7+esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›