CVE-2013-5123
Description
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Python pip before 1.5 used insecure DNS and authenticity checks in mirroring support, enabling man-in-the-middle attacks.
Vulnerability
Details
The mirroring support in Python pip versions before 1.5, enabled via the -M or --use-mirrors options, employed insecure DNS querying and lacked proper authenticity checks [1][2]. This design flaw allowed an attacker to perform man-in-the-middle attacks by spoofing DNS responses or intercepting communications between pip and mirror servers [3][4].
Exploitation
An attacker positioned on the network path between the pip client and mirror hosts could manipulate DNS queries to redirect requests to a malicious server [3]. No cryptographic validation of mirror identity or package signatures was performed, meaning any compromised or fake mirror could serve arbitrary code [4]. The attack requires no prior authentication and can be triggered during any pip installation or upgrade using mirrors.
Impact
A successful man-in-the-middle attack could lead to the installation of arbitrary Python packages, resulting in remote code execution or system compromise [1]. This vulnerability poses significant risk to automated deployment pipelines and any environment relying on pip with mirror support.
Mitigation
The issue was addressed in pip version 1.5 by deprecating the --use-mirrors flag and improving the security of mirror interactions [2]. Users are strongly advised to upgrade to pip 1.5 or later and avoid using mirroring without HTTPS and certificate verification.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pipPyPI | < 1.5 | 1.5 |
Affected products
16- Python/Pipdescription
- ghsa-coords15 versionspkg:pypi/pippkg:rpm/opensuse/python2-pip&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-pip&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python39-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python39-setuptools&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-jmespath&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-jsonschema&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-paramiko&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-pip&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-ply&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/python-ply&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-ply&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/python-ply&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/python-ply&distro=SUSE%20OpenStack%20Cloud%207
< 1.5+ 14 more
- (no CPE)range: < 1.5
- (no CPE)range: < 20.0.2-2.6
- (no CPE)range: < 9.0.1-1.1
- (no CPE)range: < 20.2.4-7.5.1
- (no CPE)range: < 44.1.1-7.3.1
- (no CPE)range: < 0.9.2-10.6.1
- (no CPE)range: < 2.2.0-3.3.1
- (no CPE)range: < 1.18.5-2.15.1
- (no CPE)range: < 10.0.1-11.6.1
- (no CPE)range: < 10.0.1-11.6.1
- (no CPE)range: < 3.4-3.3.1
- (no CPE)range: < 3.4-3.3.1
- (no CPE)range: < 3.4-3.3.1
- (no CPE)range: < 3.4-3.3.1
- (no CPE)range: < 3.4-3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-c5h8-cq4v-cvfmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-5123ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.htmlghsax_refsource_MISCWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.htmlghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2013/08/21/17ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2013/08/21/18ghsax_refsource_MISCWEB
- www.securityfocus.com/bid/77520mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- bugzilla.suse.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2019-160.yamlghsaWEB
- security-tracker.debian.org/tracker/CVE-2013-5123ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.