CVE-2025-8869: 
Python vulnerability analysis and mitigation

CVE-2025-8869 affects pip's tar archive extraction functionality when used with Python versions that don't implement PEP 706. The vulnerability was discovered and disclosed on September 24, 2025, impacting pip's fallback implementation of tar extraction. The issue occurs when extracting tar archives where pip may not properly verify if symbolic links point to the intended extraction directory (Python Security).

The vulnerability exists in pip's fallback implementation for handling tar extraction on Python versions without PEP 706 support. When extracting a tar archive, the system may fail to validate whether symbolic links point to locations within the extraction directory. The issue has been assigned a CVSS v4.0 Base Score of 5.9 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N (NVD Database).

If exploited, this vulnerability could allow an attacker to create malicious symbolic links in tar archives that point to locations outside the intended extraction directory. This could potentially lead to file system traversal and unauthorized file access or modification during the package installation process (Python Security).

Several mitigation options are available: 1) Upgrade to a version of pip that includes the fix, 2) Upgrade to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), 3) Apply the patch provided in the GitHub pull request, or 4) Follow the best practice of inspecting source distributions before installation (Python Security).