CVE-2025-4330

Published Jun 3, 2025

Last updated a month ago

CVSS high 7.5

Overview

Description
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Source
cna@python.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity
HIGH

Weaknesses

cna@python.org
CWE-22

Social media

Hype score
Not currently trending

  1. CPython: Multiple CVEs (1 CRITICAL, 3 HIGH, 1 MODERATE) affecting the tarfile module https://t.co/InRDxGsGrc CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718: Bypasses in tarfile extraction filtering CVE-2025-4435: Filtered members not skipped with TarFile.errorlevel=0

    @oss_security

    24 Jun 2025

    176 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️Vulnerabilidad en módulo de Python ❗CVE-2025-4435 ❗CVE-2025-4138 ❗CVE-2025-4330 ❗CVE-2025-4517 ➡️Más info: https://t.co/9kArNzSy3d https://t.co/1GJa9NFyO5

    @CERTpy

    11 Jun 2025

    142 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-4330 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are a… https://t.co/xXv9U4EkiL

    @CVEnew

    3 Jun 2025

    298 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.