Vulnerability Lookup

🛡️ CVE-2025-8869

⚪ Unknown ✅ No Known Exploit CWE-59 NVD

N/A

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

Details

Severity Unknown

CVSS Score N/A

CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CWE CWE-59

Public Exploit ✅ No

Source NVD

Published 2025-09-24

Updated 2026-06-02

Modified 2026-03-24

Fix URL N/A

Affected Packages

Software	From version	Fixed in
pip	—	25.3
unknown	—	—

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-8869

WEB https://github.com/pypa/pip/pull/13550

WEB https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a

PACKAGE https://github.com/pypa/pip

WEB https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html

WEB https://mail.python.org/archives/list/[email protected]/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN

WEB https://pip.pypa.io/en/stable/news/#v25-2

🔗 NVD 🔗 Mitre

Similar Threats

Vulnerability Monitoring

Stay informed about vulnerabilities in your stack

BotEraser monitors your WordPress installation and notifies you when software you use appears in our vulnerability database.

Set Up Free Alerts →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Stay informed about vulnerabilities in your stack

Company

Resources

Services

Trusted

Subscribe