CVE-2025-8869: 
Python vulnerability analysis and mitigation

CVE-2025-8869 affects pip's tar archive extraction functionality when used with Python versions that don't implement PEP 706. The vulnerability was discovered and disclosed on September 24, 2025, impacting pip's fallback implementation of tar extraction. The issue occurs when extracting tar archives where symbolic links may point outside the extraction directory, potentially leading to security risks (Python Security Announce).

The vulnerability exists in pip's fallback implementation for handling symbolic links during tar extraction on Python versions without PEP 706 support. When extracting a tar archive, pip may fail to properly validate whether symbolic links point to locations within the intended extraction directory. The issue has been assigned a CVSS v4.0 Base Score of 5.9 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability could allow attackers to create malicious tar archives that, when extracted, establish symbolic links pointing to unauthorized locations outside the intended extraction directory. This could potentially lead to security issues during package installation processes (Python Security Announce).

Several mitigation options are available: 1) Upgrade to a version of pip that includes the fix, 2) Upgrade to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), 3) Apply the patch available in the GitHub pull request, or 4) Follow the best practice of inspecting source distributions (sdists) before installation (Python Security Announce).