[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2025-8869":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":15,"downstream":16,"duplicates":25,"related":26,"reserved_at":9,"published_at":37,"modified_at":38,"state":39,"summary":40,"references_raw":49,"kevs":89,"epss":90,"epss_history":93,"metrics":364,"affected":373},"CVE-2025-8869","When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706.\nNote that upgrading pip to a \"fixed\" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706.\n\nNote that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706\nand therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706\nthen pip doesn't use the \"vulnerable\" fallback code.\n\nMitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12),\napplying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.",null,[],[],[13,14],"GHSA-4xh5-x5gv-qwph","BIT-pip-2025-8869",[],[17,19,21,23],{"_key":18},"DLA-4348-1",{"_key":20},"UBUNTU-CVE-2025-8869",{"_key":22},"ECHO-FFE1-1D3C-D9BC",{"_key":24},"DEBIAN-CVE-2025-8869",[],[27,29,31,33,35],{"_key":28},"CGA-GP9X-PVP4-9F35",{"_key":30},"CGA-HMX9-F954-2X8M",{"_key":32},"CGA-M555-HGFJ-QHHH",{"_key":34},"CGA-VV4W-2V56-2R2G",{"_key":36},"CGA-39QR-JMX6-XJ3F","2025-09-24T14:56:56.027Z","2025-11-03T17:45:31.574Z","Deferred",{"cisa_kev":41,"cisa_ransomware":41,"cisa_vendor":9,"epss_severity":42,"epss_score":43,"severity":44,"severity_score":45,"severity_version":46,"severity_source":47,"severity_vector":48,"severity_status":39},false,"low",0.00022,"medium",5.9,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",[50,58,63,67,72,76,81,85],{"url":51,"sources":52,"tags":55},"https://github.com/pypa/pip/pull/13550",[47,53,54],"nvd","osv_pypi",[56,57],"Patch","WEB",{"url":59,"sources":60,"tags":61},"https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/",[47,53],[62],"Vendor Advisory",{"url":64,"sources":65,"tags":66},"https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html",[47,53,54],[57],{"url":68,"sources":69,"tags":70},"https://nvd.nist.gov/vuln/detail/CVE-2025-8869",[54],[71],"Advisory",{"url":73,"sources":74,"tags":75},"https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a",[54],[57],{"url":77,"sources":78,"tags":79},"https://github.com/pypa/pip",[54],[80],"PACKAGE",{"url":82,"sources":83,"tags":84},"https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN",[54],[57],{"url":86,"sources":87,"tags":88},"https://pip.pypa.io/en/stable/news/#v25-2",[54],[57],[],{"date":91,"score":43,"percentile":92},"2026-06-04",0.06552,[94,98,101,104,107,110,113,116,119,122,125,128,131,134,137,141,144,147,151,154,157,160,163,166,169,172,175,178,181,184,187,190,193,196,199,202,205,208,211,214,217,220,223,226,229,232,235,238,241,244,247,250,253,256,259,262,265,267,270,273,276,279,282,285,288,291,293,296,299,302,305,308,311,314,316,319,322,325,328,331,334,337,341,344,347,350,353,356,358,361],{"date":95,"score":96,"percentile":97},"2025-11-04",0.00023,0.04854,{"date":99,"score":96,"percentile":100},"2025-11-05",0.0486,{"date":102,"score":96,"percentile":103},"2025-11-06",0.04973,{"date":105,"score":96,"percentile":106},"2025-11-07",0.04982,{"date":108,"score":96,"percentile":109},"2025-11-08",0.04977,{"date":111,"score":96,"percentile":112},"2025-11-09",0.04978,{"date":114,"score":96,"percentile":115},"2025-11-10",0.04956,{"date":117,"score":96,"percentile":118},"2025-11-11",0.04995,{"date":120,"score":96,"percentile":121},"2025-11-12",0.05015,{"date":123,"score":96,"percentile":124},"2025-11-13",0.05049,{"date":126,"score":96,"percentile":127},"2025-11-14",0.05085,{"date":129,"score":96,"percentile":130},"2025-11-15",0.05106,{"date":132,"score":96,"percentile":133},"2025-11-16",0.05122,{"date":135,"score":96,"percentile":136},"2025-11-17",0.05116,{"date":138,"score":139,"percentile":140},"2025-11-18",0.00057,0.13403,{"date":142,"score":139,"percentile":143},"2025-11-19",0.13421,{"date":145,"score":139,"percentile":146},"2025-11-20",0.13437,{"date":148,"score":149,"percentile":150},"2025-11-21",0.0002,0.04065,{"date":152,"score":149,"percentile":153},"2025-11-22",0.04069,{"date":155,"score":149,"percentile":156},"2025-11-23",0.04057,{"date":158,"score":149,"percentile":159},"2025-11-24",0.04034,{"date":161,"score":149,"percentile":162},"2025-11-25",0.04028,{"date":164,"score":149,"percentile":165},"2025-11-26",0.0407,{"date":167,"score":149,"percentile":168},"2025-11-27",0.04091,{"date":170,"score":149,"percentile":171},"2025-11-28",0.04084,{"date":173,"score":149,"percentile":174},"2025-11-29",0.04134,{"date":176,"score":149,"percentile":177},"2025-11-30",0.04147,{"date":179,"score":149,"percentile":180},"2025-12-01",0.04513,{"date":182,"score":149,"percentile":183},"2025-12-02",0.04528,{"date":185,"score":149,"percentile":186},"2025-12-03",0.04547,{"date":188,"score":149,"percentile":189},"2025-12-04",0.04491,{"date":191,"score":149,"percentile":192},"2025-12-05",0.04561,{"date":194,"score":149,"percentile":195},"2025-12-06",0.04574,{"date":197,"score":149,"percentile":198},"2025-12-07",0.04577,{"date":200,"score":149,"percentile":201},"2025-12-08",0.04575,{"date":203,"score":149,"percentile":204},"2025-12-09",0.04625,{"date":206,"score":149,"percentile":207},"2025-12-10",0.04669,{"date":209,"score":149,"percentile":210},"2025-12-11",0.04662,{"date":212,"score":149,"percentile":213},"2025-12-12",0.04676,{"date":215,"score":149,"percentile":216},"2025-12-13",0.04714,{"date":218,"score":149,"percentile":219},"2025-12-14",0.04702,{"date":221,"score":149,"percentile":222},"2025-12-15",0.04659,{"date":224,"score":149,"percentile":225},"2025-12-16",0.04666,{"date":227,"score":149,"percentile":228},"2025-12-17",0.04724,{"date":230,"score":149,"percentile":231},"2025-12-18",0.04759,{"date":233,"score":149,"percentile":234},"2025-12-19",0.04746,{"date":236,"score":149,"percentile":237},"2025-12-20",0.0474,{"date":239,"score":149,"percentile":240},"2025-12-21",0.04765,{"date":242,"score":149,"percentile":243},"2025-12-22",0.04701,{"date":245,"score":149,"percentile":246},"2025-12-23",0.04712,{"date":248,"score":149,"percentile":249},"2025-12-24",0.04734,{"date":251,"score":149,"percentile":252},"2025-12-25",0.04773,{"date":254,"score":149,"percentile":255},"2025-12-26",0.04775,{"date":257,"score":149,"percentile":258},"2025-12-27",0.04774,{"date":260,"score":149,"percentile":261},"2025-12-28",0.04766,{"date":263,"score":149,"percentile":264},"2025-12-29",0.04761,{"date":266,"score":149,"percentile":243},"2025-12-30",{"date":268,"score":149,"percentile":269},"2025-12-31",0.04719,{"date":271,"score":149,"percentile":272},"2026-01-01",0.048,{"date":274,"score":149,"percentile":275},"2026-01-02",0.04798,{"date":277,"score":149,"percentile":278},"2026-01-03",0.04785,{"date":280,"score":149,"percentile":281},"2026-01-04",0.04679,{"date":283,"score":149,"percentile":284},"2026-01-05",0.04614,{"date":286,"score":149,"percentile":287},"2026-01-06",0.04611,{"date":289,"score":149,"percentile":290},"2026-01-07",0.0463,{"date":292,"score":149,"percentile":222},"2026-01-08",{"date":294,"score":149,"percentile":295},"2026-01-09",0.04658,{"date":297,"score":149,"percentile":298},"2026-01-10",0.04665,{"date":300,"score":149,"percentile":301},"2026-01-11",0.0465,{"date":303,"score":149,"percentile":304},"2026-01-12",0.04661,{"date":306,"score":149,"percentile":307},"2026-01-13",0.04652,{"date":309,"score":149,"percentile":310},"2026-01-14",0.04697,{"date":312,"score":149,"percentile":313},"2026-01-15",0.04605,{"date":315,"score":149,"percentile":201},"2026-01-16",{"date":317,"score":149,"percentile":318},"2026-01-17",0.04573,{"date":320,"score":149,"percentile":321},"2026-01-18",0.04558,{"date":323,"score":149,"percentile":324},"2026-01-19",0.04509,{"date":326,"score":149,"percentile":327},"2026-01-20",0.04465,{"date":329,"score":149,"percentile":330},"2026-01-21",0.04454,{"date":332,"score":149,"percentile":333},"2026-01-22",0.04438,{"date":335,"score":149,"percentile":336},"2026-01-23",0.04488,{"date":338,"score":339,"percentile":340},"2026-01-24",0.00024,0.05821,{"date":342,"score":339,"percentile":343},"2026-01-25",0.05769,{"date":345,"score":339,"percentile":346},"2026-01-26",0.05752,{"date":348,"score":339,"percentile":349},"2026-01-27",0.05731,{"date":351,"score":339,"percentile":352},"2026-01-28",0.05714,{"date":354,"score":339,"percentile":355},"2026-01-29",0.05727,{"date":357,"score":339,"percentile":355},"2026-01-30",{"date":359,"score":339,"percentile":360},"2026-01-31",0.05704,{"date":362,"score":339,"percentile":363},"2026-02-01",0.05771,[365,368,371],{"source":47,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":366},{"baseScore":45,"baseSeverity":367,"vectorString":48,"impactScore":9,"exploitabilityScore":9},"MEDIUM",{"source":53,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":369},{"baseScore":45,"baseSeverity":367,"vectorString":370,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",{"source":54,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":372},{"baseScore":45,"baseSeverity":9,"vectorString":48,"impactScore":9,"exploitabilityScore":9},[374,385],{"ecosystem":375,"name":376,"vendor":375,"product":376,"cpe_part":9,"purl_type":377,"purl_namespace":9,"purl_name":376,"source":9,"versions":378},"PyPI","pip","pypi",[379],{"version":380,"is_range":381,"range_type":382,"version_start":9,"version_start_type":9,"version_end":383,"version_end_type":384,"fixed_in":9},"lt25_3",true,"ecosystem","25.3","excluding",{"ecosystem":9,"name":376,"vendor":386,"product":376,"cpe_part":387,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":388},"python packaging authority","a",[389],{"version":390,"is_range":381,"range_type":47,"version_start":9,"version_start_type":9,"version_end":383,"version_end_type":384,"fixed_in":9},"\u003C 25.3"]