Platform
python
Component
tarfile
Fixed in
3.10.18
3.11.13
3.12.11
3.13.4
3.14.0b3
CVE-2025-4138 is a directory traversal vulnerability discovered in the Python tarfile module. This flaw allows attackers to extract files from tar archives into arbitrary locations, potentially overwriting critical system files or gaining unauthorized access. The vulnerability affects Python versions 3.10.0 through 3.14.0b3, and a fix is available in version 3.14.0b3.
An attacker can exploit this vulnerability by crafting a malicious tar archive that, when extracted using TarFile.extractall() or TarFile.extract() with the filter='data' or filter='tar' parameter, allows them to write files outside the intended destination directory. This could lead to overwriting system files, injecting malicious code, or gaining unauthorized access to sensitive data. The potential impact is significant, as successful exploitation could compromise the entire system. The ability to modify file metadata further expands the attack surface, potentially allowing attackers to disguise malicious files or manipulate file access controls.
This vulnerability was publicly disclosed on June 3, 2025. No known public proof-of-concept exploits are currently available, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Given the potential for widespread impact and the relative simplicity of exploitation, it is considered a medium-high probability threat.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Python 3.14.0b3 or later, where the default value of the filter parameter has been changed to prevent this behavior. If upgrading is not immediately feasible, avoid using the filter parameter with values of 'data' or 'tar' when extracting untrusted tar archives. Alternatively, implement strict input validation and sanitization to ensure that the extraction path is within the expected directory. Consider using a dedicated tar archive extraction library with built-in security features. After upgrading, confirm the fix by attempting to extract a known malicious tar archive and verifying that it is prevented from writing outside the intended directory.
Actualice la biblioteca CPython a la versión 3.10.18 o superior, 3.11.13 o superior, 3.12.11 o superior, 3.13.4 o superior, o 3.14.0b3 o superior. Evite usar la función `TarFile.extractall()` o `TarFile.extract()` con el parámetro `filter=` configurado en 'data' o 'tar' con archivos tar no confiables.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4138 is a directory traversal vulnerability in Python's tarfile module affecting versions 3.10.0–3.14.0b3. It allows attackers to extract files outside the intended directory when using the 'data' or 'tar' filter.
You are affected if you are using Python versions 3.10.0 through 3.14.0b3 and extracting untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter='data' or filter='tar' parameter.
Upgrade to Python 3.14.0b3 or later. Alternatively, avoid using the filter parameter with 'data' or 'tar' when extracting untrusted archives.
No active exploitation has been confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Python security advisory for CVE-2025-4138 on the Python website (https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.