Improper Extraction Behavior in Python TarFile Module
CVE-2025-4435

7.5HIGH

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 3 June 2025

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2025-4435?

In the TarFile module of Python, a flaw exists when TarFile.errorlevel is set to 0 while extracting files with a filter. Expected behavior dictates that filtered members should be omitted from extraction. However, a flaw in the processing logic leads to these members being extracted nonetheless, causing unintended data exposure. This can potentially lead to security concerns if sensitive information is inadvertently extracted.

Affected Version(s)

CPython 0 < 3.9.23

CPython 3.10.0 < 3.10.18

CPython 3.11.0 < 3.11.13

References

https://github.com/python/cpython/issues/135034

issue-tracking

https://github.com/python/cpython/pull/135037

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
May 8, 2025

Credit

Chuck Woodraska

Petr Viktorin

Serhiy Storchaka

Hugo van Kemenade

Łukasz Langa

Thomas Wouters

Seth Larson