pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

GHSA-58qw-9mgm-455v · CVE-2026-3219

Published Apr 20, 2026 · Modified May 20, 2026

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-3219
WEB https://github.com/pypa/pip/issues/13867
WEB https://github.com/pypa/pip/pull/13870
PACKAGE https://github.com/pypa/pip
WEB https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ
WEB http://www.openwall.com/lists/oss-security/2026/04/20/8

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes