PyPI: pip
CVE-2026-1703
Safety vulnerability ID: SFTY-20260202-37987
Safety legacy ID: pyup.io-85681
Affected versions of the pip package are vulnerable to Path Traversal due to an incorrect directory containment check when extracting wheel archives. In src/pip/_internal/utils/unpacking.py, the is_within_directory() helper used os.path.commonprefix() (character-by-character) to compare directory and target paths, allowing crafted paths like a parent-directory substring match to be treated as safely inside the installation directory.
Overview
pip Path Traversal vulnerability
Advisory
Affected versions of the pip package are vulnerable to Path Traversal due to an incorrect directory containment check when extracting wheel archives. In src/pip/_internal/utils/unpacking.py, the is_within_directory() helper used os.path.commonprefix() (character-by-character) to compare directory and target paths, allowing crafted paths like a parent-directory substring match to be treated as safely inside the installation directory.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260202-37987/CVE-2026-1703
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1703
- https://github.com/advisories/GHSA-6vgw-5pg2-w6jp
- https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
- https://nvd.nist.gov/vuln/detail/CVE-2026-1703
- https://github.com/pypa/pip/pull/13777
- https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
- https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ
- https://github.com/advisories/GHSA-6vgw-5pg2-w6jp
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more