CVE-2020-5252
CVE-2020-5252 is a medium-severity vulnerability in Pyup Safety with a CVSS 3.x base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-807.
Key facts
- Severity: Medium (CVSS 3.x base score 5.0)
- CVSS v2: 1.9
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-807
- Affected product: Pyup Safety
- Published:
- Last modified:
Description
The command-line "safety" package for Python has a potential security issue. There are two Python characteristics that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages. This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself. This can happen if: You are running Safety in a Python environment that you don’t trust. You are running Safety from the same Python environment where you have your dependencies installed. Dependency packages are being installed arbitrarily or without proper verification. Users can mitigate this issue by doing any of the following: Perform a static analysis by installing Docker and running the Safety Docker image: $ docker run --rm -it pyupio/safety check -r requirements.txt Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment. Run Safety from a Continuous Integration pipeline. Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them. Use PyUp's Online Requirements Checker.
Frequently asked questions
- What is CVE-2020-5252?
- The command-line "safety" package for Python has a potential security issue. There are two Python characteristics that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages. This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself. This can happen if: You are running Safety in a Python environment that you don’t trust. You are running Safety from the same Python environment where you have your dependencies installed. Dependency packages are being installed arbitrarily or without proper verification. Users can mitigate this issue by doing any of the following: Perform a static analysis by installing Docker and running the Safety Docker image: $ docker run --rm -it pyupio/safety check -r requirements.txt Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment. Run Safety from a Continuous Integration pipeline. Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them. Use PyUp's Online Requirements Checker.
- How severe is CVE-2020-5252?
- CVE-2020-5252 has a CVSS 3.x base score of 5.0, rated medium severity. It is exploitable over local access with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2020-5252 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-5252?
- CVE-2020-5252 affects Pyup Safety. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-5252?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-5252 published?
- CVE-2020-5252 was published on 2020-03-23 and last updated on 2026-06-17.
References
- https://github.com/akoumjian/python-safety-vuln
- https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2
- https://pyup.io/posts/patched-vulnerability/
Affected products (1)
- cpe:2.3:a:pyup:safety:*:*:*:*:*:*:*:*
Other CWE-807 vulnerabilities
- CVE-2025-13926 — Critical (CVSS 9.8): An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary…
- CVE-2026-32975 — Critical (CVSS 9.8): OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable…
- CVE-2025-12488 — Critical (CVSS 9.8): oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability.…
- CVE-2025-12487 — Critical (CVSS 9.8): oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability.…
- CVE-2025-49827 — Critical (CVSS 9.8): Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through…
- CVE-2025-1126 — Critical (CVSS 9.3): A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management…