pytest CVE-2025-71176: UNIX Temp Directory Flaw Exposes Systems to DoS, Privilege Escalation Risk

A critical security vulnerability in the pytest testing framework through version 9.0.2 has been identified, prompting an urgent update to version 9.0.3. The flaw, tracked as CVE-2025-71176, stems from pytest's reliance on predictable temporary directory naming conventions on UNIX systems, specifically directories following the `/tmp/pytest-of-{user}` pattern.

The vulnerability allows local users to exploit this predictable naming scheme, potentially causing denial of service conditions or escalating privileges on affected systems. The issue affects any environment running pytest on UNIX-like operating systems, including Linux distributions and macOS. Security researchers warn that the predictable temp directory structure creates a race condition window where malicious local users could hijack or interfere with pytest's temporary file handling.

The patched version 9.0.3 addresses the vulnerability by removing the predictable user-specific naming pattern. Development teams using pytest in CI/CD pipelines, automated testing environments, or local development setups should verify their current installed version and update immediately. Given that pytest is one of the most widely adopted testing frameworks in the Python ecosystem, the potential attack surface is substantial, particularly in shared development environments, build servers, and multi-tenant systems where local user access exists. Organizations with automated dependency management should confirm their systems have pulled the updated package.