CVE-2025-8869Path Traversal in Packaging Authority PIP

CWE-22Path TraversalCWE-59Link Following8 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 94.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Python Packaging Authority PIPPypa PIPDebian Python-pip+2 more
Timeline
PublishedSep 24

Description

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vuln

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

debiandebian/python-pip< python-pip 20.3.4-4+deb11u2 (bullseye)
PyPIpypa/pip< 25.3

🔴Vulnerability Details

3
OSV
CVE-2025-8869: When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 7062025-09-24
OSV
pip's fallback tar extraction doesn't check symbolic links point to extraction directory2025-09-24
GHSA
pip's fallback tar extraction doesn't check symbolic links point to extraction directory2025-09-24

📋Vendor Advisories

3
Red Hat
pip: pip missing checks on symbolic link extraction2025-09-24
Microsoft
Fallback tar extraction in pip doesn't check symbolic links point to extraction directory2025-09-09
Debian
CVE-2025-8869: python-pip - When extracting a tar archive pip may not check symbolic links point into the ex...2025

💬Community

1
Bugzilla
CVE-2025-8869 pypy: pip missing checks on symbolic link extraction [fedora-all]2025-09-24