Bug 2397852 (CVE-2025-8869) - CVE-2025-8869 pip: pip missing checks on symbolic link extraction
Summary: CVE-2025-8869 pip: pip missing checks on symbolic link extraction
Keywords:
Status: NEW
Alias: CVE-2025-8869
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2397927 2397929 2397928 2397930
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-24 16:02 UTC by OSIDB Bzimport
Modified: 2025-09-24 20:11 UTC (History)
99 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-24 16:02:23 UTC 
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706.
Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706.

Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706
and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706
then pip doesn't use the "vulnerable" fallback code.

Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12),
applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
Note You need to log in before you can comment on or make changes to this bug.