Skip to content

chore(deps): update dependency pip to v25 [security] - autoclosed#1285

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability
Closed

chore(deps): update dependency pip to v25 [security] - autoclosed#1285
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 24, 2025
edited
Loading

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
pip (changelog) ==24.1.2 -> ==25.2 age confidence

GitHub Vulnerability Alerts

CVE-2025-8869

Summary

In the fallback extraction path for source distributions, pip used Python’s tarfile module without verifying that symbolic/hard link targets resolve inside the intended extraction directory. A malicious sdist can include links that escape the target directory and overwrite arbitrary files on the invoking host during pip install.

Impact

Successful exploitation enables arbitrary file overwrite outside the build/extraction directory on the machine running pip. This can be leveraged to tamper with configuration or startup files and may lead to further code execution depending on the environment, but the direct, guaranteed impact is integrity compromise on the vulnerable system.

Conditions

The issue is triggered when installing an attacker-controlled sdist (e.g., from an index or URL) and the fallback extraction code path is used. No special privileges are required beyond running pip install; active user action is necessary.

Remediation

Upgrade to pip 25.2 or later, which validates member paths and rejects unsafe link targets. Using a Python interpreter that implements the safe-extraction behavior described by PEP 706 provides additional defense in depth for other tarfile issues but is not a substitute for upgrading pip for this specific flaw.

Release Notes

pypa/pip (pip)

v25.2

Compare Source

v25.1.1

Compare Source

v25.1

Compare Source

v25.0.1

Compare Source

v25.0

Compare Source

v24.3.1

Compare Source

v24.3

Compare Source

v24.2

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions[bot]
github-actions bot reviewed Sep 24, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Python Source Analyzer 0 0 0 0
Python Security Analysis 1 0 2 1

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

@renovate renovate bot changed the title chore(deps): update dependency pip to v25 [security] chore(deps): update dependency pip to v25 [security] - autoclosed Sep 30, 2025
@renovate renovate bot closed this Sep 30, 2025
@renovate renovate bot deleted the renovate/pypi-pip-vulnerability branch September 30, 2025 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

security findings

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants