"Preventing ZIP parser confusion attacks on Python package installers" (2025-08) The Python Package Index Blog https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks/ :
> What is PyPI doing to prevent ZIP confusion attacks? Is this sufficient; what else should PyPI do to prevent malformed uploads that worked before these changes? On Mon, Apr 20, 2026, 11:03 AM Seth Larson <[email protected]> wrote: > There is a MEDIUM severity vulnerability affecting pip. > > pip handles concatenated tar and ZIP files as ZIP files regardless of > filename or whether a file is both a tar and ZIP file. This behavior could > result in confusing installation behavior, such as installing "incorrect" > files according to the filename of the archive. New behavior only proceeds > with installation if the file identifies uniquely as a ZIP or tar archive, > not as both. > > Please see the linked CVE ID for the latest information on affected > versions: > > * https://www.cve.org/CVERecord?id=CVE-2026-3219 > * https://github.com/pypa/pip/pull/13870 > _______________________________________________ > Security-announce mailing list -- [email protected] > To unsubscribe send an email to [email protected] > https://mail.python.org/mailman3//lists/security-announce.python.org > Member address: [email protected] >
_______________________________________________ Security-SIG mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/security-sig.python.org Member address: [email protected]
