Current pip 25.2 and CVE-2025-8869 break CI pipelines

[jenstroeger]

Description

Following up on comment #13522 (comment) and the discussion there, I wanted to open this issue as @notatallshaw asked.

@notatallshaw […] if you have any impact please open a new GitHub issue and we can discuss there, and act appropriately.

The impact is breaking CI pipelines that use pip-audit. We have currently updated our configurations to ignore this particular CVE but would like to see it fixed instead.

Expected behavior

No response

pip version

25.2

Python version

3.13

OS

Linux

How to Reproduce

(venv) ~ > pip list
Package Version
------- -------
pip     25.2
(venv) ~ > pip install pip_audit
Collecting pip_audit
  Downloading pip_audit-2.9.0-py3-none-any.whl.metadata (27 kB)
  ...
(venv) ~ > pip-audit 
Found 1 known vulnerability in 1 package
Name Version ID                  Fix Versions
---- ------- ------------------- ------------
pip  25.2    GHSA-4xh5-x5gv-qwph
(venv) ~ > echo $?
1

which breaks the CI job.

Output

No response

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[notatallshaw]

Python version

3.13

Name Version ID Fix Versions

---

pip 25.2 GHSA-4xh5-x5gv-qwph

This Python version isn't affected by the associated CVE of GHSA-4xh5-x5gv-qwph, has this issue been reported to pip-audit? Perhaps the metadata for this needs updating.

[behnazh-w]

I don't think pip-audit can address this. It checks a Python package identifier against the advisory knowledge base, but it does not (and likely will not) check the current Python version.

[notatallshaw]

Skimming through the docs and code that seems probably right, I guess this falls under the following documentation category: https://github.com/pypa/pip-audit?tab=readme-ov-file#pip-audit-shows-irrelevant-vulnerability-reports

Let's see if any other maintainer wants to weigh in on this, I don't think I will have time to work on this any further (as mentioned in the pip 25.3 thread I'm unlikely to have availability at the beginning of October, but will engage again if something changes).

[mauritsvanrees]

Isn't the problem that the pip CVE says that all pip versions including 25.2 are vulnerable, and that patched versions is "None"? I think it was different originally, but was updated yesterday.

Based on the text I would expect affected versions to be "<25.2" and patched version to be "25.2".

Also, the current text seems to say that using a newer Python version is a good idea for other tarfile-related problems, but that on all Python versions you should update to pip 25.2. So the Python version seems irrelevant here.

Sorry if I completely misunderstood the point.

[tobbin2]

Looking at the changelog of 25.2 doesn't it state anything regarding this bug. Do we assume that this one is fixed or not?

[erdnaxeli]

Based on the text I would expect affected versions to be "<25.2" and patched version to be "25.2".

The 25.2 version does not include the patch, it will be in 25.3 which has not been released yet.

The impact is breaking CI pipelines that use pip-audit.

Using trivy produces the same result.

[robline]

Just a quick note that might help others dealing with this. We are adding this line to our Dockerfile in the meantime to get around this:

RUN pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph || true

And this to .gitlab-ci.yaml:
pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph --format=json --output=gl-dependency-scanning-report.json

[notatallshaw]

To be clear on if you are affected by the CVE:

• CVE-2025-8869 is a specific instance of CVE-2007-4559, which is that a tarfile archive can be extracted with a link that points outside the archive
• CVE-2007-4559 was fixed by Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12, so if you are on one of Python versions you are not affected by CVE-2025-8869, if you are not on one of those Python versions you are not on a secure version of Python
• CVE-2025-8869 affects building/installing source distributions (sdists), not installing binary distributions (wheels), the building of an sdist can already run arbitrary code
• No pip version has yet been published on PyPI which mitigates this CVE, but I see several redistributions of pip (e.g.fix(py3-pip): Build with patch for CVE-2025-8869 wolfi-dev/os#67721), which presumably offer extra support, are starting to include the patch directly

From my perspective as a the person who merged the PR (#13550):

• Pip doesn't have a support policy for insecure versions of Python, although maintainers have accepted patches on a best effort basis
• The PR was reasonable outside the security angle, these tarfiles are invalid if they point to things not inside them
• The security angle, in my opinion, is dubious, as building sdists already involves arbitrary code execution, so I find it hard to come up with a scenario where someone cares about tar extraction pointing outside the archive but doesn't care about the arbitrary code execution

I was therefore not planning to create a pip release based on this PR, and I'm still not as it would be my first release of pip and I don't have capacity right now if I make any mistakes or have to do a follow up. However, I am not against another maintainer cherry picking this patch and doing a release if they want, but please be aware all maintainers of pip are currently here on a volunteer basis and so it requires they have the spare time and will to do so.

I'm pinging @sethmlarson in case the CVE author wants to add anything, but I don't think there's anything else currently to add.

[sethmlarson]

Great summary @notatallshaw, everything you've said is correct. This vulnerability is definitely a bit different than a typical one, the best way to "remediate" is to upgrade your Python version. For this reason it felt appropriate to emit a CVE ID even if the "fix" isn't available in a published version yet.

If you're using pip-audit and you're not affected by this vulnerability (ie: using a Python version that implements PEP 706) then you can ignore the vulnerability with --ignore-vuln CVE-2025-8869.