Platform
python
Component
tarfile
Fixed in
3.10.18
3.11.13
3.12.11
3.13.4
3.14.0b3
CVE-2025-4517 is a critical vulnerability in the Python tarfile module, allowing for arbitrary filesystem writes outside the intended extraction directory. This occurs when extracting untrusted tar archives using the filter="data" option. Versions 3.10.0 through 3.14.0b3 are affected; upgrading to version 3.14.0b3 resolves the issue.
The vulnerability allows an attacker to write files to arbitrary locations on the system during tar archive extraction. This can lead to a complete system compromise, including overwriting critical system files, injecting malicious code, or exfiltrating sensitive data. The filter="data" option, intended for data integrity checks, is exploited to bypass extraction path restrictions. Successful exploitation requires an attacker to control the contents of the tar archive being extracted. This vulnerability shares similarities with other archive-related vulnerabilities where improper handling of file paths can lead to arbitrary write access.
This vulnerability was publicly disclosed on 2025-06-03. Its critical CVSS score and the potential for arbitrary file writes suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a likely target for attackers. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Python 3.14.0b3 or later, where the default filter value has been changed to "data". If upgrading is not immediately feasible, implement strict validation of the extraction path before calling TarFile.extractall() or TarFile.extract(). This validation should ensure that the extraction path is within a controlled and trusted directory. Consider using a WAF or proxy to inspect incoming tar archives for suspicious patterns or malicious file names. Avoid using the filter parameter with untrusted archives.
Update the CPython library to version 3.10.18 or later, 3.11.13 or later, 3.12.11 or later, 3.13.4 or later, or 3.14.0b3 or later. Avoid using the 'data' or 'tar' filter in the TarFile.extractall() or TarFile.extract() function with untrusted tar archives.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4517 is a critical vulnerability in Python's tarfile module allowing attackers to write files outside the intended extraction directory when using the 'data' filter with untrusted archives.
You are affected if you are using Python versions 3.10.0 through 3.14.0b3 and extracting untrusted tar archives with the filter="data" option.
Upgrade to Python 3.14.0b3 or later. If upgrading is not possible, implement strict extraction path validation before using TarFile.extractall() or TarFile.extract().
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the official Python security advisory for detailed information and updates: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.