CVE-2025-8869: Arbitrary File Write vulnerability in pip (PyPI)

What is CVE-2025-8869 About?

This vulnerability in `pip` allows for arbitrary file overwriting during the installation of malicious source distributions (sdists) if the fallback extraction path is used. It arises because `pip` fails to verify that symbolic or hard link targets resolve inside the intended extraction directory. An attacker can craft an sdist to include links that escape this directory, enabling them to overwrite arbitrary files on the host system. Exploitation requires installing an attacker-controlled sdist, making it moderately complex depending on the distribution mechanism.

Affected Software

pip <=25.2

Technical Details

In pip's fallback extraction path for source distributions (sdists), the tarfile module is used. The vulnerability stems from the fact that pip does not sufficiently verify that symbolic links (symlinks) or hard links (hardlinks) contained within a tarfile archive resolve strictly within the intended extraction directory. A malicious sdist can be crafted to include such links that, when extracted, point to locations outside the designated build or extraction directory. Consequently, when pip install unpacks the sdist, it will follow these malicious links and overwrite arbitrary files on the invoking host system. This bypasses the intended directory confinement, allowing an attacker to modify or corrupt critical system files.

What is the Impact of CVE-2025-8869?

Successful exploitation may allow attackers to overwrite arbitrary files outside the intended installation directory. This can lead to system integrity compromise, tampering with configuration or startup files, and potentially further code execution or a complete system compromise depending on the overwritten files.

What is the Exploitability of CVE-2025-8869?

Exploitation of this vulnerability is of moderate complexity. It is triggered when users install an attacker-controlled source distribution (sdist), for example, from a package index or a direct URL, and if the fallback extraction code path is used by pip. No special privileges beyond running pip install are required, but active user action (running the install command) is necessary. The attack is considered local to the machine running pip install, as it directly manipulates the filesystem. There are no specific authentication requirements beyond being able to initiate the pip install command. Special conditions include the use of the tarfile module's default behavior without proper path sanitization specific to archive extraction, which this pip version does. Increased likelihood of exploitation occurs in environments where users frequently install packages from untrusted or public sources, or if package repositories are compromised to host malicious sdists.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2025-8869?

A Fix by Resolved Security Exists!

Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch ensures that when unpacking tar files, symbolic links are only created if their targets exist within the archive, preventing symlinks from referencing files outside the intended extraction directory. This mitigates the CVE-2025-8869 vulnerability, which allowed malicious tar archives to create symlinks pointing outside the target directory, potentially leading to arbitrary file overwrites or unauthorized file access.

Available Upgrade Options

No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-8869?

Similar Vulnerabilities: CVE-2023-49034 , CVE-2022-31057 , CVE-2022-28461 , CVE-2021-3770 , CVE-2021-23343

CVE-2025-8869 Arbitrary File Write vulnerability in pip (PyPI)