VYPR
← All advisories
High severityNVD Advisory· Published Nov 10, 2021· Updated Aug 3, 2024

CVE-2021-3572

CVE-2021-3572

Description

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A flaw in python-pip's handling of Unicode separators in git references could allow a remote attacker to install a different repository revision, compromising data integrity.

Vulnerability

A flaw exists in python-pip's VCS support when parsing git references. The code used Unicode whitespace characters as separators when splitting git references, but git allows such characters in tag names. This allowed a maliciously crafted tag to hijack a commit-based pin, causing pip to resolve to a different revision than intended. The vulnerability affects all versions of pip before 21.1. [2][4]

Exploitation

An attacker needs write access to a repository (or the ability to create tags) and the victim must use a commit-based pin (e.g., git+https://...@). The attacker creates a tag containing Unicode whitespace characters that, when split by pip, causes the reference to resolve to a different revision. No user interaction beyond the normal pip install command is required. [4]

Impact

Successful exploitation leads to installation of a different revision of the repository than the one intended by the user. This compromises data integrity, as the attacker could inject malicious code or dependencies into the installed package. The highest threat is to data integrity, with potential for further compromise depending on the injected content. [2][4]

Mitigation

The vulnerability is fixed in python-pip version 21.1, released in April 2021. Users should upgrade to pip 21.1 or later. Red Hat provided updates via RHSA-2021:3254 for the rh-python38 collection. No workarounds are available; upgrading is the only mitigation. [1][2][4]

References
  1. https://access.redhat.com/errata/RHSA-2021:3254
  2. NVD - CVE-2021-3572
  3. Don't split git references on unicode separators by pradyunsg · Pull Request #9827 · pypa/pip

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pipPyPI
< 21.121.1

Affected products

182

Patches

1
e46bdda97113

Merge pull request #9827 from pradyunsg/fix-git-improper-tag-handling

https://github.com/pypa/pipStéphane BidoulApr 24, 2021via ghsa
commit
2 files changed · +11 2
  • news/9827.bugfix.rst+3 0 added
    @@ -0,0 +1,3 @@
+**SECURITY**: Stop splitting on unicode separators in git references,
+which could be maliciously used to install a different revision on the
+repository.
  • src/pip/_internal/vcs/git.py+8 2 modified
    @@ -131,9 +131,15 @@ def get_revision_sha(cls, dest, rev):
             on_returncode='ignore',
         )
         refs = {}
-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
             try:
-                ref_sha, ref_name = line.split()
+                ref_sha, ref_name = line.split(" ", maxsplit=2)
             except ValueError:
                 # Include the offending line to simplify troubleshooting if
                 # this error ever occurs.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.