Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on pip (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 26.0.
DescriptionCVE.org
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Analysis
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Technical ContextAI
Classified as CWE-22 (Path Traversal). When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Affected ProductsAI
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path travers
RemediationAI
Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6vgw-5pg2-w6jp