5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5252

GHSA ID

GHSA-7q25-qrjw-6fg2

EPSS Score

0.21648%

CWE

CWE-807

Published

3/24/2020

Updated

10/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5252

CVE-2020-5252: Malicious package may avoid detection in python auditing

Python Auditing Vulnerability

Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety.

Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect.

Usage

Install safety, insecure-package, and this package with pip in the same python environment. Order doesn't matter.

pip install safety
pip install insecure-package
pip install dist/malicious-0.1-py3-none-any.whl

Run the check

safety check

You should see both Running my modified safety.check and that insecure-package is not listed in the results!

How it Works

Everything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching.

When you install this package, the setup.py settings installs a malicious.pth file to your site-packages directory.
The malicious.pth file gets loaded anytime Python starts, which in turn imports our malicious package.
The malicious/__init__.py patches the safety library with a custom function to avoid detection.

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5252

GHSA ID

GHSA-7q25-qrjw-6fg2

EPSS Score

0.21648%

CWE

CWE-807

Published

3/24/2020

Updated

10/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
safety	pip	< 1.9.0	1.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability relies on patching Safety's core check function at runtime. The proof of concept demonstrates direct modification of safety.check to filter out 'insecure-package'. The attack vector (via .pth file loading) exploits Python's mutable runtime environment to subvert Security Decision mechanisms (CWE-807). The check function is explicitly targeted in the malicious init.py code shown in advisories, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Pyt*on *u*itin* Vuln*r**ility **monstr*t*s *ow * m*li*ious p**k*** **n ins*rt * lo**-tim* poison pill to *voi* **t**tion *y tools lik* S***ty. Tools t**t *r* **si*n** to *in* vuln*r**l* p**k***s **n not *v*r run in t** s*m* pyt*on *nvironm*nt t**

Reasoning

T** vuln*r**ility r*li*s on p*t**in* S***ty's *or* ****k *un*tion *t runtim*. T** proo* o* *on**pt **monstr*t*s *ir**t mo*i*i**tion o* s***ty.****k to *ilt*r out 'ins**ur*-p**k***'. T** *tt**k v**tor (vi* .pt* *il* lo**in*) *xploits Pyt*on's mut**l*

5

Basic Information

Concerned about an active attack path?

CVE-2020-5252: Malicious package may avoid detection in python auditing

Python Auditing Vulnerability

Usage

How it Works

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI