Arbitrary Filesystem Write Vulnerability in Python Tarfile Module
CVE-2025-4517

9.4CRITICAL

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 3 June 2025

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2025-4517?

CVE-2025-4517 is an arbitrary filesystem write vulnerability within the Python Tarfile module, a component used for reading and writing tar archive files in Python applications. This vulnerability chiefly affects applications that utilize the TarFile.extractall() or TarFile.extract() methods to extract untrusted tar archives. When these methods are used with the filter parameter set to "data" or the new default value of "data" in Python versions 3.14 and later, the vulnerability can be exploited, allowing attackers to write files to arbitrary locations outside the intended extraction directory. This can lead to unauthorized file access and potentially harmful modifications, posing a severe risk to the confidentiality, integrity, and availability of systems relying on this module.

Organizations that implement the Tarfile module for extracting tar archives, particularly from untrusted sources, may face significant security challenges due to this vulnerability. Its exploitation could enable malicious actors to deliver harmful payloads or take control of systems by manipulating the file system, thus undermining the security of software applications built using Python.

Potential impact of CVE-2025-4517

Unauthorized Filesystem Alterations: Attackers can leverage this vulnerability to write malicious files to unintended locations on the filesystem, which may lead to unauthorized access to sensitive data, configuration tampering, or the installation of further malware.
System Compromise: The ability to execute arbitrary writes can allow attackers to replace legitimate files with malicious ones or introduce backdoors, potentially leading to full control of the affected system and facilitating broader attacks on interconnected networks.
Reputation and Compliance Risks: Organizations affected by this vulnerability may face reputational damage and legal liabilities arising from data breaches or non-compliance with data protection regulations, particularly if sensitive or personal data is compromised as a result of an exploit.

Affected Version(s)

CPython 0 < 3.9.23

CPython 3.10.0 < 3.10.18

CPython 3.11.0 < 3.11.13

References

https://github.com/python/cpython/issues/135034

issue-tracking

https://github.com/python/cpython/pull/135037

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
May 9, 2025

Credit

Caleb Brown (Google)

Petr Viktorin

Serhiy Storchaka

Hugo van Kemenade

Łukasz Langa

Thomas Wouters

Seth Larson