DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-71176: CVE-2025-71176: Local Privilege Escalation and Information Disclosure via TOCTOU Race Condition in pytest

#security #cve #cybersecurity

CVE-2025-71176: Local Privilege Escalation and Information Disclosure via TOCTOU Race Condition in pytest

Vulnerability ID: CVE-2025-71176
CVSS Score: 6.8
Published: 2026-01-22

The pytest testing framework through version 9.0.2 on UNIX-like systems creates base temporary directories using a predictable naming pattern. This predictable pattern allows a local attacker to execute a symlink race or Time-of-Check Time-of-Use (TOCTOU) attack, potentially resulting in Denial of Service (DoS), information disclosure, or local privilege escalation.

TL;DR

pytest <= 9.0.2 utilizes a predictable temporary directory structure (/tmp/pytest-of-{user}) that is vulnerable to local symlink attacks. Local attackers can pre-create this directory to steal test data, alter file permissions, or cause a Denial of Service.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-379
  • Attack Vector: Local
  • CVSS Score: 6.8
  • EPSS Score: 0.00006
  • Impact: Information Disclosure, Denial of Service, Privilege Escalation
  • Exploit Status: Proof-of-Concept Available

Affected Systems

  • UNIX-like operating systems utilizing the default /tmp directory
  • Shared Continuous Integration / Continuous Deployment (CI/CD) runner environments
  • Multi-user Linux development servers running Python test suites
  • pytest: <= 9.0.2 (Fixed in: > 9.0.2)

Exploit Details

  • GitHub Issue #13669: Conceptual Proof of Concept demonstrating local symlink hijacking in /tmp

Mitigation Strategies

  • Upgrade pytest to a version greater than 9.0.2 to incorporate the randomized directory creation patch.
  • Utilize the --basetemp command-line flag to specify an exclusively owned temporary directory.
  • Enforce operating system-level protections against malicious symlink traversal.
  • Configure the PYTEST_DEBUG_TEMPROOT environment variable to override the default predictable root.

Remediation Steps:

  1. Identify all development and CI/CD environments utilizing pytest versions up to 9.0.2.
  2. Update project dependency files (requirements.txt, pyproject.toml) to require pytest > 9.0.2.
  3. If unable to immediately update, modify CI/CD test execution scripts to prepend temporary directory creation (e.g., MY_TMP=$(mktemp -d) and append --basetemp=$MY_TMP to the pytest invocation).
  4. Ensure Linux kernel protections are enabled by running sysctl -w fs.protected_symlinks=1 and sysctl -w fs.protected_hardlinks=1.

References

Read the full report for CVE-2025-71176 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)