Miggo Logo
Miggo Vulnerability Database
CVE-2025-8869

CVE-2025-8869: pip's fallback tar extraction doesn't check symbolic links point to extraction directory

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-8869
GHSA ID
GHSA-4xh5-x5gv-qwph
EPSS Score
-
CWE
CWE-59
Published
9/24/2025
Updated
9/24/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
pippip< 25.225.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a path traversal issue in pip's fallback tar extraction mechanism, which is used on Python versions that do not implement PEP 706 (e.g., Python < 3.9.17, < 3.10.12, < 3.11.4). The root cause is the failure to validate symbolic links within tar archives before extraction.

The analysis of the patch f2b92314da012b9fffa36b3f3e67748a37ef464a reveals that the function _untar_without_filter in src/pip/_internal/utils/unpacking.py was responsible for this insecure behavior. Before the fix, it would extract any symbolic link, allowing an attacker to craft a tar file with a symlink pointing to a sensitive location outside the intended extraction directory (e.g., ../../.ssh/authorized_keys). When a user on a vulnerable system installed this malicious package, pip would create this link, potentially leading to arbitrary file creation or overwrite.

The function untar_file acts as the dispatcher. It checks for the presence of the secure tarfile.data_filter and, if absent, calls the vulnerable _untar_without_filter function. Therefore, both untar_file and _untar_without_filter would appear in a runtime profile during exploitation. The patch remediates this by adding a new function, is_symlink_target_in_tar, and using it within _untar_without_filter to ensure that all symbolic link targets are safely contained within the archive before extraction.

Vulnerable functions

_untar_without_filter
src/pip/_internal/utils/unpacking.py
This function serves as a fallback for extracting tar archives on older Python versions that do not have the `tarfile.data_filter` feature. Before the patch, this function did not validate if a symbolic link's target was within the extraction directory. This allowed a maliciously crafted tar file to create a symbolic link pointing to an arbitrary path on the filesystem, leading to a path traversal vulnerability.
untar_file
src/pip/_internal/utils/unpacking.py
This is the primary function for unpacking tar files in pip. It is responsible for checking the Python environment and deciding whether to use the modern, secure extraction method or the vulnerable fallback. When running on a Python version without PEP 706 support, it calls the `_untar_without_filter` function, thereby processing the malicious input and triggering the vulnerability.

WAF Protection Rules

WAF Rule

W**n *xtr**tin* * t*r *r**iv* pip m*y not ****k sym*oli* links point into t** *xtr**tion *ir**tory i* t** t*r*il* mo*ul* *o*sn't impl*m*nt P*P ***. Not* t**t up*r**in* pip to * "*ix**" v*rsion *or t*is vuln*r**ility *o*sn't *ix *ll known vuln*r**ilit

Reasoning

T** vuln*r**ility is * p*t* tr*v*rs*l issu* in pip's **ll***k t*r *xtr**tion m****nism, w*i** is us** on Pyt*on v*rsions t**t *o not impl*m*nt P*P *** (*.*., Pyt*on < *.*.**, < *.**.**, < *.**.*). T** root **us* is t** **ilur* to v*li**t* sym*oli* li