Symlink Target Bypass Vulnerability in Python's Tarfile Module
CVE-2025-4138
Key Information:
- Vendor
Python Software Foundation
- Status
- Vendor
- CVE Published:
- 3 June 2025
Badges
What is CVE-2025-4138?
The tarfile module in Python versions 3.12 and later has a vulnerability that allows the extraction filter to be bypassed. This exploitation can lead to the extraction of symlink targets that point outside of the intended destination directory and unauthorized modification of file metadata. This issue primarily affects scenarios where untrusted tar archives are processed using TarFile.extractall() or TarFile.extract() functions, especially when the filter parameter is set to 'data' or 'tar'. Users should be cautious when handling untrusted sources and consider employing additional verification measures to mitigate risks associated with extracted files.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
CPython 0 < 3.9.23
CPython 3.10.0 < 3.10.18
CPython 3.11.0 < 3.11.13
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved