Vulnerability in pip's tar extraction for Python versions lacking PEP 706 support
CVE-2025-8869

5.9MEDIUM

Key Information:

Vendor: Python Packaging Authority
Status: Pip
Vendor: CVE Published:; 24 September 2025

🔔 Create Python Packaging Authority Vulnerability Alert

What is CVE-2025-8869?

The identified vulnerability in pip arises when extracting tar archives, where symbolic links may improperly refer to the extraction directory due to the inadequacy of the tarfile module's implementation in older Python versions. Specifically, if a Python version does not account for PEP 706, pip defaults to a fallback extraction process that exposes users to potential risks. It's vital for users on such versions to upgrade to a fixed pip version, or ideally, transition to Python versions that natively implement PEP 706. Other mitigative actions include applying recommended patches or thoroughly inspecting source distributions prior to installation.

Affected Version(s)

pip 0 < 25.3

References

https://github.com/pypa/pip/pull/13550

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Aug 11, 2025

JSON