## Pytest 9.0.2 Security Flaw: Local UNIX Users Can Trigger DoS or Escalate Privileges
A critical security vulnerability in the widely used Python testing framework, pytest, has been disclosed, exposing UNIX-based systems to potential local privilege escalation and denial-of-service attacks. The flaw, tracked as CVE-2025-71176, is present in all versions up to and including 9.0.2. It stems from the framework's predictable use of directories named `/tmp/pytest-of-{user}`, creating a vector for local users to interfere with test execution and potentially gain elevated privileges on the host system.

The vulnerability has been assigned a CVSS v3.1 score of 6.8 (Medium), with a vector indicating low attack complexity and no user interaction required. The core issue is that the predictable temporary directory pattern allows unauthorized local users to manipulate or disrupt the testing environment. This can lead to a denial of service by corrupting test runs or, more severely, be exploited to execute code with the privileges of the user running pytest, posing a significant risk to development and CI/CD pipelines.

The pytest development team has addressed the flaw in version 9.0.3, released as a security update. This patch modifies the directory creation logic to mitigate the risk. The disclosure, accompanied by an automated dependency update pull request from RenovateBot, signals an urgent need for developers and organizations to upgrade their pytest installations immediately. Failure to patch leaves any system running automated Python tests vulnerable to local interference, which could compromise build integrity and system security.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software vulnerability, python, CVE-2025-71176, open source
- **Credibility**: unverified
- **Published**: 2026-04-18 17:22:42
- **ID**: 70740
- **URL**: https://whisperx.ai/en/intel/70740