PyPI Vulnerability: The Danger of 'Won't-Fix' Security Flaws #shorts

Name: PyPI Vulnerability: The Danger of 'Won't-Fix' Security Flaws #shorts
Uploaded: 2026-03-31
Duration: 41 s
Description: A critical vulnerability in PyPI allows attackers to register identical package names with higher versions, hijacking installations. This 'won't-fix' issue exploits extra_index_url, prioritizing newer versions from any source. Secure your projects by using index URL and syncing internal repositories

BSides Frankfurt0:41327 viewsPublished 2026-03Watch on YouTube ↗

About this talk

A critical vulnerability in PyPI allows attackers to register identical package names with higher versions, hijacking installations. This 'won't-fix' issue exploits extra_index_url, prioritizing newer versions from any source. Secure your projects by using index URL and syncing internal repositories. #PyPI #Vulnerability #Cybersecurity #TechNews #SoftwareSecurity

Show transcript [en]

It's like company name internal something and version 9999. And when we looked in the official PiPi repos, we see that someone had registered the same name and put the version 9999. So, apparently, this is a won't fix vulnerability in PiPi because they say that the extra index URL, which you can use to point to an internal PiPi repo, um it's designed to be insecure. It will check the official repo and it will check the internal repo and it will just get the newest version. So, if you want to be safe, you're going to need to use index URL, but then of course you need to sync the entire repo, right?

PyPI Vulnerability: The Danger of 'Won't-Fix' Security Flaws #shorts

Related talks