Pytest Security Flaw CVE-2025-71176: Local UNIX Users Can Trigger DoS or Gain Privileges

A newly disclosed vulnerability in the widely used Python testing framework, pytest, exposes a critical path for local privilege escalation and denial-of-service attacks on UNIX systems. The flaw, tracked as CVE-2025-71176, stems from the framework's reliance on predictable directory names under `/tmp/pytest-of-{user}`. This pattern allows any local user on the same system to potentially interfere with test execution, manipulate files, or escalate their privileges, posing a direct threat to development and CI/CD environments.

The vulnerability affects all versions of pytest through 9.0.2. The Common Vulnerability Scoring System (CVSS) rates the issue at 6.8 (Medium), with a vector indicating local attack complexity, no privileges required, and impacts on confidentiality, integrity, and availability. The core risk is that the predictable temporary directory structure is not securely isolated, enabling unauthorized local users to exploit the framework's operations. This is not a remote code execution flaw but a significant local attack vector that could compromise build servers, developer workstations, or any shared UNIX environment running automated tests.

The disclosure has triggered automated security updates in dependency management systems, as seen in GitHub pull requests from bots like Renovate, which are now flagging the update to pytest 9.0.3 as a security priority. The flaw underscores the persistent security challenges in foundational developer tools and the software supply chain. Organizations relying on pytest for testing must urgently review and update to version 9.0.3 to mitigate the risk of local privilege escalation and ensure the integrity of their automated testing pipelines.