CVE-2025-8869
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2025-11-03

Assigner: Python Software Foundation

Description
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2025-11-03
Generated
2026-05-09
AI Q&A
2025-09-24
EPSS Evaluated
2026-05-07
NVD
CVE-2025-8869
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pypa pip *
pypa pip 20.3.4-4+deb11u2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs when pip extracts a tar archive using a fallback implementation that does not properly check if symbolic links point inside the extraction directory. This happens if the Python tarfile module does not implement PEP 706. As a result, malicious tar archives could potentially create symbolic links that point outside the intended extraction directory, leading to security risks. The issue affects pip versions running on Python versions that lack PEP 706 support.


How can this vulnerability impact me? :

The vulnerability can allow an attacker to craft tar archives with symbolic links that point outside the extraction directory, potentially leading to unauthorized file overwrites or access to files outside the intended area. This can compromise system integrity or security when installing packages using pip on affected Python versions.


What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include upgrading pip to a version that includes the fix, upgrading your Python version to one that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch if available, and inspecting source distributions (sdists) before installation as a best practice.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart