Plattform
python
Komponente
tarfile
Behoben in
3.10.18
3.11.13
3.12.11
3.13.4
3.14.0b3
CVE-2025-4138 is a directory traversal vulnerability discovered in the Python tarfile module. This flaw allows attackers to extract files from tar archives into arbitrary locations, potentially overwriting critical system files or gaining unauthorized access. The vulnerability affects Python versions 3.10.0 through 3.14.0b3, and a fix is available in version 3.14.0b3.
An attacker exploiting CVE-2025-4138 can craft a malicious tar archive designed to extract files outside the intended destination directory. By manipulating symlink targets within the archive, they can overwrite files in sensitive locations, such as system directories or application configuration files. This could lead to arbitrary code execution, data breaches, or complete system compromise. The vulnerability stems from the tarfile module's handling of extraction filters, specifically when filter='data' or filter='tar' is used with untrusted archives. This bypasses intended security checks and allows for traversal outside the designated extraction path.
This vulnerability was publicly disclosed on June 3, 2025. Currently, there are no known active exploitation campaigns targeting CVE-2025-4138. No public proof-of-concept exploits have been released, but the vulnerability's nature suggests a relatively low barrier to exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Systems using Python 3.10.0 through 3.14.0b3 that process untrusted tar archives are at risk. This includes web applications, automation scripts, and any system that relies on the tarfile module to extract archives from external sources. Shared hosting environments where multiple users can upload files are particularly vulnerable.
• python / server:
find / -name '*tar.gz' -o -name '*tar.bz2' -o -name '*tar'• python / supply-chain:
import os
import tarfile
def check_tarfile_extraction(filepath, destination):
try:
with tarfile.open(filepath, 'r') as tar:
tar.extractall(path=destination, filter='data') # Vulnerable code
return False # No vulnerability detected
except Exception as e:
return True # Vulnerability detected
# Example usage (replace with actual filepaths)
filepath = '/path/to/your/archive.tar.gz'
destination = '/tmp/extraction_test'
if check_tarfile_extraction(filepath, destination):
print(f"Potential vulnerability detected in {filepath}")
else:
print(f"No vulnerability detected in {filepath}")disclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-4138 is to upgrade to Python 3.14.0b3 or later, where the default value of the filter parameter has been changed to prevent this behavior. If upgrading is not immediately feasible, avoid using the filter parameter with untrusted tar archives. Alternatively, carefully validate the extraction path and file names within the archive before extracting. Consider using a dedicated tar archive extraction library that implements stricter security checks. For environments where untrusted archives must be processed, implement a sandboxing mechanism to isolate the extraction process.
Actualice la biblioteca CPython a la versión 3.10.18 o superior, 3.11.13 o superior, 3.12.11 o superior, 3.13.4 o superior, o 3.14.0b3 o superior. Evite usar la función `TarFile.extractall()` o `TarFile.extract()` con el parámetro `filter=` configurado en 'data' o 'tar' con archivos tar no confiables.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-4138 is a directory traversal vulnerability in Python's tarfile module affecting versions 3.10.0–3.14.0b3. It allows attackers to extract files outside the intended directory when using the 'data' or 'tar' filter.
You are affected if you are using Python versions 3.10.0 through 3.14.0b3 and extracting untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter='data' or filter='tar' parameter.
Upgrade to Python 3.14.0b3 or later. Alternatively, avoid using the filter parameter with 'data' or 'tar' when extracting untrusted archives.
No active exploitation has been confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Python security advisory for CVE-2025-4138 on the Python website (https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.