CVE-2023-5752
Aliases:GHSA-mq26-g339-26xfBIT-pip-2023-5752PYSEC-2023-228
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 24 Oct 2023, 20:56
Last modified:03 Nov 2025, 17:31
Vulnerability Summary
Overall Risk (default)
low
22/100 CVSS Score
5.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.07% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
24 Oct 2023, 20:56
Published
Vulnerability first disclosed
03 Nov 2025, 17:31
Last Modified
Vulnerability information updated
Description
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- v3.1•LOW•Score: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Trends
Current EPSS score: 0.07%• Percentile: 23%
Techniques & Countermeasures
- CWE-77•Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Affected Systems
- pypa•pip
< 23.3
- PyPI•pip
< 23.3
References (18)
- https://github.com/pypa/pip/pull/12306
- https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
- https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-5752
- https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
- https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
- https://github.com/pypa/pip
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
- https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL