AIKIDO-2026-10652
pipenv is vulnerable to Path Traversal
75
High Risk
This Affects:
pipenvTL;DR
Affected versions of this package are vulnerable to a path traversal vulnerability in the vendored pip archive extraction logic when handling crafted tar files on specific CPython patch versions. During fallback processing of LinkOutsideDestinationError, the code routed extraction through the more permissive tarfile.tar_filter, which did not validate whether hardlink or symlink targets remained inside the intended destination directory. As a result, attacker-controlled archive members could create links to files outside the install root, potentially leading to arbitrary file overwrite or unauthorized file creation during package extraction.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pipenv is vulnerable to Path Traversal in versions 0.0.1 - 2026.5.2.
How to fix this
Upgrade the pipenv library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant