Skip to content
.ca
sign in
Work being done in the backend.
4 minhigh

PyPI Fixes High-Severity Access Control Issues Found in Security Audit

A recent security audit of PyPI by Trail of Bits uncovered 14 vulnerabilities, including high-severity access control flaws that allowed unauthorized role escalation and persistent stale permissions across project transfers. Additionally, a JWT replay vulnerability in the OIDC trusted publishing flow and an unpatched metadata validation gap highlight ongoing supply chain risks for Python package consumers.

Conf:highAnalyzed:2026-05-05Google

Authors: Sarah Gooding

Supply ChainMetadata ValidationJWT ReplayPyPIAccess Control

Source:Socket

Detection / HunterGoogle

What Happened

Security researchers recently audited PyPI, the main repository for Python software packages, and found several serious security flaws. The most critical issues allowed regular users to secretly give themselves administrative control over organizations or keep their access to projects even after those projects were transferred away. While PyPI has fixed most of these problems, one remaining issue allows attackers to hide malicious software dependencies in a way that security tools might miss. Organizations using Python should ensure their security tools check the actual package files, not just the online registry information.

Key Takeaways

  • PyPI patched a high-severity flaw allowing organization members to invite new owners due to insufficient POST request permission checks.
  • A second high-severity issue allowed stale team permissions to persist after project transfers, potentially enabling unauthorized malicious uploads.
  • A medium-severity JWT replay vulnerability existed due to a 25-second discrepancy between Redis key expiration and PyJWT's leeway window.
  • An unpatched metadata validation gap allows attackers to hide malicious dependencies inside wheel metadata that differ from the PyPI JSON API.

Affected Systems

  • PyPI (Python Package Index)
  • Warehouse (PyPI application)
  • pip (package installer)
  • SBOM generators relying on PyPI JSON API

Attack Chain

In a theoretical attack leveraging the metadata gap, an adversary uploads a Python package to PyPI declaring no dependencies in the upload form. However, the attacker embeds a malicious dependency requirement directly inside the wheel archive's metadata file. Security tools querying the PyPI JSON API report zero dependencies, but when a victim installs the package using pip, the installer fetches the embedded metadata and silently installs the malicious dependency.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided, but Trail of Bits developed a custom CodeQL query for PyPI to detect state-changing POST handlers protected only by read-level permissions.

Detection Engineering Assessment

EDR Visibility: None — The vulnerabilities are server-side logic flaws within the PyPI infrastructure and do not execute on endpoint devices. Network Visibility: Low — Traffic to PyPI is TLS-encrypted, making network-level inspection of API payloads or wheel metadata difficult without SSL decryption. Detection Difficulty: Hard — Detecting these issues requires access to PyPI's internal backend logs or custom tooling to compare PyPI JSON API responses against downloaded wheel metadata.

Required Log Sources

  • Application Audit Logs
  • Web Server Access Logs
  • CI/CD Pipeline Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Compare dependency lists from the PyPI JSON API against the embedded .dist-info/METADATA in downloaded wheel files to identify hidden malicious dependencies.Package Manager Logs / Custom ScriptingExecution / Supply ChainLow

Control Gaps

  • SBOM generators relying solely on PyPI JSON API
  • Vulnerability scanners not parsing embedded wheel metadata

Key Behavioral Indicators

  • Discrepancies between form-derived metadata and embedded wheel metadata
  • Unexpected role changes in PyPI organization audit logs

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit internal Python projects for unexpected dependencies installed during the build process.
  • Ensure SBOM generation tools parse actual wheel metadata rather than relying solely on the PyPI JSON API.

Infrastructure Hardening

  • Review PyPI organization roles and project permissions to ensure no unauthorized or stale access exists.
  • Implement strict lockfiles with hash-checking for all Python dependency installations.

User Protection

  • Educate developers on the risks of hidden dependencies in Python packages.
  • Monitor CI/CD pipelines for leaked OIDC tokens or misconfigured artifacts.

Security Awareness

  • Train engineering teams on the nuances of package registry metadata and the potential for supply chain compromise.

MITRE ATT&CK Mapping

  • T1098 - Account Manipulation
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1550.001 - Use Alternate Authentication Material: Application Access Token

Related