Arbitrary Filesystem Write Vulnerability in Python Tarfile Module
CVE-2025-4517

9.4CRITICAL

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 3 June 2025

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2025-4517?

The vulnerability in the Python tarfile module allows for arbitrary filesystem writes when extracting untrusted tar archives with the filter parameter set to 'data' or 'tar'. This issue arises specifically in Python 3.12 or later. Users who employ the TarFile.extractall() or TarFile.extract() methods with these filters are at risk. Notably, starting from Python 3.14, the default filter value has changed from 'no filtering' to 'data', thus increasing potential exposure for users relying on this default behavior. It is recommended to evaluate the sources of tar archives to mitigate risks associated with installing potentially harmful source distributions.

Affected Version(s)

CPython 0 < 3.9.23

CPython 3.10.0 < 3.10.18

CPython 3.11.0 < 3.11.13

References

https://github.com/python/cpython/issues/135034

issue-tracking

https://github.com/python/cpython/pull/135037

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
May 9, 2025

Credit

Caleb Brown (Google)

Petr Viktorin

Serhiy Storchaka

Hugo van Kemenade

Łukasz Langa

Thomas Wouters

Seth Larson