Security-announce

Download

security-announce@python.org

September 2025

1 participants
2 discussions

[CVE-2025-8869] Fallback tar extraction in pip doesn't check symbolic links point to extraction directory
by Seth Larson Sept. 24, 2025

Sept. 24, 2025

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2025-8869 * https://github.com/pypa/pip/pull/13550

1 0

New phishing campaign against PyPI is ongoing
by Seth Larson Sept. 23, 2025

Sept. 23, 2025

Hello, There is a new ongoing phishing campaign against PyPI users occurring. This campaign uses the same tactics as the previous campaign, but with a new domain and there isn't any indication that this will be the last campaign. This alert details what PyPI maintainers are doing to protect PyPI users and what practices package maintainers can adopt to protect their own users. As always, you can report suspicious activity on your account or package to security(a)pypi.org Read more: https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/

1 0