Platform
python
Component
tarfile
Fixed in
3.10.18
3.11.13
3.12.11
3.13.4
3.14.0b3
CVE-2025-4330 is a directory traversal vulnerability discovered in the Python tarfile module. This flaw allows attackers to potentially write files outside the intended extraction directory when processing untrusted tar archives, leading to arbitrary file modification and potential system compromise. The vulnerability affects Python versions 3.10.0 through 3.14.0b3, and a fix is available in version 3.14.0b3.
An attacker can exploit this vulnerability by crafting a malicious tar archive that contains symlinks pointing outside the intended extraction directory. When TarFile.extractall() or TarFile.extract() is called with the filter parameter set to 'data' or 'tar', the extraction filter is bypassed, allowing the symlinks to be resolved and files to be written to arbitrary locations on the system. This could allow an attacker to overwrite critical system files, execute arbitrary code, or gain unauthorized access to sensitive data. The potential impact is significant, especially in environments where untrusted tar archives are routinely processed.
This vulnerability was publicly disclosed on June 3, 2025. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the environment and the trust placed in the source of the tar archives.
Exploit Status
EPSS
0.36% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Python 3.14.0b3 or later, where the default value of the filter parameter has been changed to prevent this bypass. If upgrading is not immediately feasible, consider disabling the use of the filter parameter entirely when extracting untrusted archives. Alternatively, implement strict input validation to ensure that the extracted files are confined to the intended directory. Consider using a WAF or proxy to inspect incoming tar archives for malicious symlinks before processing them. For existing deployments, review code that uses TarFile.extractall() or TarFile.extract() with the filter parameter and implement the recommended mitigations.
Actualice la biblioteca CPython a la versión 3.10.18 o superior, 3.11.13 o superior, 3.12.11 o superior, 3.13.4 o superior, o 3.14.0b3 o superior. Evite usar el parámetro `filter=` con valores 'data' o 'tar' al extraer archivos tar no confiables con `TarFile.extractall()` o `TarFile.extract()`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4330 is a directory traversal vulnerability in Python's tarfile module affecting versions 3.10.0–3.14.0b3. It allows attackers to write files outside the intended extraction directory when processing untrusted tar archives.
You are affected if you are using Python versions 3.10.0 through 3.14.0b3 and processing untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to 'data' or 'tar'.
Upgrade to Python 3.14.0b3 or later. Alternatively, disable the filter parameter or implement strict input validation when extracting untrusted archives.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2025-4330.
Refer to the official Python documentation and security advisories for detailed information: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.