GHSA-qc9x-gjcv-465w · Severity: high · Ecosystem: pip — Pipenv's requirements.txt parsing allows malicious index url in comments
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.
Conclusion & alert: CVE-2022-21668 is rated High Exploit Risk (80.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.86%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +2.39% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.48% | 3.86% | +2.39% |
| 2 | 2026-01-20 | 1.58% | 1.48% | -0.11% |
| 3 | 2025-11-21 | — | 1.58% | — |
Full EPSS history (24 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.0 | 3.1 | HIGH |
|
1.3 | 6.0 | [email protected] |
| 8.6 | 3.1 | HIGH |
|
1.8 | 6.0 | [email protected] |
| 9.3 | 2.0 | HIGH |
|
8.6 | 10.0 | [email protected] |
GHSA-qc9x-gjcv-465w · Severity: high · Ecosystem: pip — Pipenv's requirements.txt parsing allows malicious index url in comments
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2022-21668 unimportant priority: Debian including 1 source packages (pipenv), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2022-21668 |
ubuntu
|
medium | CVE-2022-21668 medium priority: Ubuntu including 1 source packages (pipenv), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 9, needs-triage 5, DNE 1. | https://ubuntu.com/security/CVE-2022-21668 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| pypa | pipenv | >= 2018.10.9, < 2022.1.8 | cpe:2.3:a:pypa:pipenv:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 34 | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| fedoraproject | fedora | 36 | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |