Symlink Target Bypass Vulnerability in Python's Tarfile Module
CVE-2025-4138

7.5HIGH

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 3 June 2025

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2025-4138?

The tarfile module in Python versions 3.12 and later has a vulnerability that allows the extraction filter to be bypassed. This exploitation can lead to the extraction of symlink targets that point outside of the intended destination directory and unauthorized modification of file metadata. This issue primarily affects scenarios where untrusted tar archives are processed using TarFile.extractall() or TarFile.extract() functions, especially when the filter parameter is set to 'data' or 'tar'. Users should be cautious when handling untrusted sources and consider employing additional verification measures to mitigate risks associated with extracted files.

Affected Version(s)

CPython 0 < 3.9.23

CPython 3.10.0 < 3.10.18

CPython 3.11.0 < 3.11.13

References

https://github.com/python/cpython/issues/135034

issue-tracking

https://github.com/python/cpython/pull/135037

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
Apr 30, 2025

Credit

Caleb Brown (Google)

Petr Viktorin

Serhiy Storchaka

Hugo van Kemenade

Łukasz Langa

Thomas Wouters

Seth Larson