Tarfile Module Vulnerability in Python Software
CVE-2025-13462

2LOW

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
12 March 2026

What is CVE-2025-13462?

The Tarfile module in Python software is susceptible to improper input handling, where normalization of AREGTYPE blocks is incorrectly applied to DIRTYPE during the processing of multi-block members like GNUTYPE_LONGNAME and GNUTYPE_LONGLINK. This flaw can lead to crafted tar archives being misinterpreted by the Tarfile module, potentially causing security risks compared to other implementations. Proper handling and validation of tar archive inputs are crucial to mitigate exploitation of this issue.

Affected Version(s)

CPython 0 < 3.13.13

CPython 3.14.0 < 3.14.4

CPython 3.15.0a1 < 3.15.0a8

References

https://github.com/python/cpython/pull/143934
patch
https://github.com/python/cpython/issues/141707
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.