File Metadata Modification Vulnerability in Python 3.12+
CVE-2024-12718

10CRITICAL

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 3 June 2025

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2024-12718?

A security flaw in the tarfile module of Python allows unauthorized modification of file metadata and permissions when extracting untrusted tar archives. Specifically, this vulnerability arises when using the TarFile.extractall() or TarFile.extract() methods with the filter parameter set to 'data' or 'tar' in Python versions 3.12 and later. Users should be cautious, as the default filter behavior changed in Python 3.14, which may inadvertently expose applications to risks. It is critical to avoid extracting archives from untrusted sources and to monitor project updates for potential patches.

Affected Version(s)

CPython 0 < 3.9.23

CPython 3.10.0 < 3.10.18

CPython 3.11.0 < 3.11.13

References

https://github.com/python/cpython/issues/135034

issue-tracking

https://github.com/python/cpython/pull/135037

patch

https://github.com/python/cpython/issues/127987

issue-tracking

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
Dec 17, 2024

Credit

Jakub Wilk

Seth Larson

Petr Viktorin

Serhiy Storchaka

Hugo van Kemenade

Łukasz Langa

Thomas Wouters