pip version 24.2 vulnerability

[akasaundhan]

Describe the bug
We are seeing vulnerability for pip version 24.2 which is coming from mcr.microsoft.com/azurelinux/base/python:3.12 because it has pip version 24.2 when I run docker run --rm mcr.microsoft.com/azurelinux/base/python:3.12 pip --version.

However I am not sure pip vulnerability does not appear for image azurelinux/base/python:3.12 while it appears in our service using it(probably have been suppressed or something). Its not working for us simply just by doing pip upgrade, we have to remove the pip installed from mcr.microsoft.com/azurelinux/base/python:3.12 and then install pip to

vul:
5005553 │ Python (Pip) Security Update for pip (GHSA-4xh5-x5gv-qwph) │
│ │ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8869 │
│ │ Risk: HIGH - CVSS: 8.6 │
│ │ Publish Date: 25 September 2025 │
│ │ 1. Library pip │
│ │ Installed: 24.2 - Fixed: 25.3 │
│ │ Language: Python │
│ │ Path: usr/lib/python3.12/site-packages/pip-24.2.dist-info/METADATA

To Reproduce
Steps to reproduce the behavior:
We are doing following steps:

1. FROM mcr.microsoft.com/azurelinux/base/python:3.12 AS build
2. FROM mcr.microsoft.com/azure-cli:2.80.0-azurelinux3.0
3. COPY --from=build /ServiceName /ServiceName
   COPY --from=build /usr/lib/ /usr/lib/
   COPY --from=build /usr/bin/ /usr/bin/

Expected behavior

Screenshots

[eric-desrochers]

We backported the fix into version 24.2-4. If you are using this version and onward, you are not vulnerable. It appears that the scanning report does not seems to take our backport into account and is expecting an upgrade to the fixed upstream version, which likely explains the false positive.

Which scanning tool are you using to generate that report ?

https://raw.githubusercontent.com/microsoft/AzureLinuxVulnerabilityData/refs/heads/main/azurelinux-3.0-oval.xml

   <definition class="vulnerability" id="oval:com.microsoft.azurelinux:def:67788" version="1">
      <metadata>
        <title>CVE-2025-8869 affecting package python-pip for versions less than 24.2-4</title>
        <affected family="unix">
          <platform>Azure Linux</platform>
        </affected>
        <reference ref_id="CVE-2025-8869" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2025-8869" source="CVE"/>
        <patchable>true</patchable>
        <advisory_date>2025-10-28T21:13:13.537Z</advisory_date>
        <advisory_id>67788-1</advisory_id>
        <severity>Medium</severity>
        <description>CVE-2025-8869 affecting package python-pip for versions less than 24.2-4. A patched version of the package is available.</description>
      </metadata>
      <criteria operator="AND">
        <criterion comment="Package python-pip is earlier than 24.2-4, affected by CVE-2025-8869" test_ref="oval:com.microsoft.azurelinux:tst:67788000"/>
      </criteria>
    </definition>