Platform
python
Component
tarfile
Opgelost in
3.10.18
3.11.13
3.12.11
3.13.4
3.14.0b3
CVE-2025-4517 is a critical vulnerability in the Python tarfile module, allowing for arbitrary filesystem writes outside the intended extraction directory. This occurs when extracting untrusted tar archives using the filter="data" option. Versions 3.10.0 through 3.14.0b3 are affected; upgrading to version 3.14.0b3 resolves the issue.
The vulnerability allows an attacker to write files to arbitrary locations on the system during tar archive extraction. This can lead to a complete system compromise, including overwriting critical system files, injecting malicious code, or exfiltrating sensitive data. The filter="data" option, intended for data integrity checks, is exploited to bypass extraction path restrictions. Successful exploitation requires an attacker to control the contents of the tar archive being extracted. This vulnerability shares similarities with other archive-related vulnerabilities where improper handling of file paths can lead to arbitrary write access.
This vulnerability was publicly disclosed on 2025-06-03. Its critical CVSS score and the potential for arbitrary file writes suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a likely target for attackers. It has not yet been added to the CISA KEV catalog.
Applications and systems that rely on the Python tarfile module to process untrusted tar archives are at risk. This includes build systems, deployment pipelines, and any application that accepts tar archives from external sources. Shared hosting environments where multiple users can upload files are particularly vulnerable.
• python / server:
find / -name '*.tar.gz' -type f -print0 | xargs -0 grep -i 'data filter'• python / supply-chain:
Inspect Python dependencies for vulnerable versions of tarfile.
• generic web:
Monitor web server access logs for requests containing tar.gz archives, especially those originating from untrusted sources.
disclosure
Exploit Status
EPSS
0.11% (29% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to Python 3.14.0b3 or later, where the default filter value has been changed to "data". If upgrading is not immediately feasible, implement strict validation of the extraction path before calling TarFile.extractall() or TarFile.extract(). This validation should ensure that the extraction path is within a controlled and trusted directory. Consider using a WAF or proxy to inspect incoming tar archives for suspicious patterns or malicious file names. Avoid using the filter parameter with untrusted archives.
Actualiseer de CPython bibliotheek naar versie 3.10.18 of hoger, 3.11.13 of hoger, 3.12.11 of hoger, 3.13.4 of hoger, of 3.14.0b3 of hoger. Vermijd het gebruik van de filter 'data' of 'tar' in de functie TarFile.extractall() of TarFile.extract() met onbetrouwbare tar archieven.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-4517 is a critical vulnerability in Python's tarfile module allowing attackers to write files outside the intended extraction directory when using the 'data' filter with untrusted archives.
You are affected if you are using Python versions 3.10.0 through 3.14.0b3 and extracting untrusted tar archives with the filter="data" option.
Upgrade to Python 3.14.0b3 or later. If upgrading is not possible, implement strict extraction path validation before using TarFile.extractall() or TarFile.extract().
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the official Python security advisory for detailed information and updates: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.