Fixed
Created: Sep 24, 2025
Updated: Sep 26, 2025
Resolved Date: Sep 26, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.13
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Userspace
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706.[EOL]Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706.[EOL][EOL]Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706[EOL]and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706[EOL]then pip doesn't use the "vulnerable" fallback code.[EOL][EOL]Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12),[EOL]applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
