CVE-2025-71176
Unknown Unknown - Not Provided
Directory Traversal in pytest Allows Local DoS and Privilege Escalation

Publication date: 2026-01-22

Last updated on: 2026-01-22

Assigner: MITRE

Description
pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-22
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71176
EUVD
EUVD-2026-4171
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pytest pytest 9.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-379 The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71176 is a vulnerability in pytest on UNIX systems related to its handling of temporary directories. Pytest creates temporary directories under predictable paths like /tmp/pytest-of-{user} and performs ownership checks that follow symbolic links (symlinks). This creates a Time-Of-Check to Time-Of-Use (TOCTOU) race condition, allowing local attackers to exploit symlink attacks. An attacker can create a symlink from the expected directory to a location they control, causing pytest to write data or change permissions in unintended places. This can lead to denial of service or potentially privilege escalation depending on the context. [1, 2]

Impact Analysis

This vulnerability can allow local users on a UNIX system to cause a denial of service by interfering with pytest's temporary directories. Additionally, depending on the environment and usage, it may allow attackers to gain elevated privileges or execute code by exploiting the predictable temporary directory names and symlink race conditions. This is particularly relevant in multi-user or cloud continuous integration environments where multiple users share the same system. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of the predictable temporary directories named /tmp/pytest-of-<user> and verifying if they are symbolic links pointing to unexpected locations. On Linux systems, you can use commands like `ls -l /tmp/pytest-of-*` to list these directories and check for symlinks. Additionally, inspecting sysctl settings related to filesystem protections can help detect if protections are disabled: `sysctl fs.protected_fifos fs.protected_regular fs.protected_symlinks fs.protected_hardlinks`. If these are not set to recommended values, the system is more vulnerable. [1, 2]

Mitigation Strategies

Immediate mitigation steps include manually creating a secure temporary directory using commands like `mktemp -d` and configuring pytest to use this directory instead of the default /tmp/pytest-of-<user> path by setting environment variables such as `PYTEST_DEBUG_TEMPROOT` or overriding Python's `tempfile.gettempdir`. Additionally, on Linux systems, enable the following sysctl settings to harden filesystem protections: `fs.protected_fifos=2`, `fs.protected_regular=2`, `fs.protected_symlinks=1`, and `fs.protected_hardlinks=1`. These measures help prevent exploitation of the TOCTOU vulnerability by restricting symlink and file manipulation attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart