Plattform
python
Komponente
tarfile
Behoben in
3.10.18
3.11.13
3.12.11
3.13.4
3.14.0b3
CVE-2025-4330 is a directory traversal vulnerability discovered in the Python tarfile module. This flaw allows attackers to potentially write files outside the intended extraction directory when processing untrusted tar archives, leading to arbitrary file modification and potential system compromise. The vulnerability affects Python versions 3.10.0 through 3.14.0b3, and a fix is available in version 3.14.0b3.
The core of this vulnerability lies in the tarfile module's handling of extraction filters. When using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar", the filter logic can be bypassed. This bypass allows an attacker to craft a malicious tar archive containing symlinks that point outside the intended extraction directory. Consequently, an attacker could overwrite or delete files in arbitrary locations on the system, potentially gaining unauthorized access or disrupting system operations. The blast radius extends to any system where untrusted tar archives are processed using the vulnerable tarfile module, especially in automated scripts or web applications.
This vulnerability was publicly disclosed on June 3, 2025. There is currently no indication of active exploitation in the wild, but the availability of a public CVE and the relatively simple nature of the bypass suggest a potential for exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge as the vulnerability gains more attention.
Systems that automatically process untrusted tar archives, such as build servers, data ingestion pipelines, or web applications that allow users to upload archives, are particularly at risk. Environments using older Python versions (3.10.0 - 3.14.0b3) are also vulnerable. Shared hosting environments where multiple users can upload files are also at increased risk.
• python / server:
find / -name '*.tar.gz' -o -name '*.tar.bz2' -o -name '*.tar'• python / server:
journalctl -u python3 | grep "TarFile.extractall" | grep "filter="• python / server:
ps aux | grep "TarFile.extractall" | grep "filter="disclosure
Exploit-Status
EPSS
0.36% (58% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-4330 is to upgrade to Python version 3.14.0b3 or later, where the default value of the filter parameter has been changed to prevent this bypass. If upgrading is not immediately feasible, avoid using the filter parameter with values of "data" or "tar" when extracting untrusted tar archives. Consider implementing input validation to ensure that the tar archive does not contain malicious symlinks before extraction. For environments where upgrading is impossible, carefully review and restrict the directories where tar archives are extracted. After upgrading, confirm the fix by attempting to extract a known malicious tar archive containing symlinks outside the intended extraction directory; the extraction should fail.
Actualice la biblioteca CPython a la versión 3.10.18 o superior, 3.11.13 o superior, 3.12.11 o superior, 3.13.4 o superior, o 3.14.0b3 o superior. Evite usar el parámetro `filter=` con valores 'data' o 'tar' al extraer archivos tar no confiables con `TarFile.extractall()` o `TarFile.extract()`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-4330 is a directory traversal vulnerability in Python's tarfile module affecting versions 3.10.0–3.14.0b3. It allows attackers to write files outside the intended extraction directory when processing untrusted tar archives.
You are affected if you are using Python versions 3.10.0 through 3.14.0b3 and processing untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to 'data' or 'tar'.
Upgrade to Python 3.14.0b3 or later. Alternatively, disable the filter parameter or implement strict input validation when extracting untrusted archives.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2025-4330.
Refer to the official Python documentation and security advisories for detailed information: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.