Is CVE-2025-8869 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Python Packaging Authority Pip

CVE-2025-8869

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known v…

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Python Packaging Authority Pip — versions 0

Public proof-of-concept exploits

ARPSyndicate/cve-scores
nyudenkov/pysentry

References

github.com/pypa/pip/pull/13550 (patch)
mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7… (vendor-advisory)

Frequently asked questions

What is CVE-2025-8869?: CVE-2025-8869 is a vulnerability in Python Packaging Authority Pip. Published 2025-09-24.
Is CVE-2025-8869 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.