CVE-2025-8869

MEDIUM

pip < 25.3 - Directory Traversal via Symbolic Link Handling in Tar Extraction

Title source: llm

Description

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

References (3)

Core 3

Core References

Issue Tracking patch

https://github.com/pypa/pip/pull/13550

Various Sources vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/

Mailing List

https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html

Scores

CVSS v4 5.9

EPSS 0.0002

EPSS Percentile 6.0%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (2)

pypi/pip 0 - 25.3PyPI

Python Packaging Authority/pip < 25.3

Published Sep 24, 2025

Tracked Since Feb 18, 2026