- Description
- Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
- Source
- cna@python.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.4
- Impact score
- 5.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
- Severity
- CRITICAL
- cna@python.org
- CWE-22
- Hype score
- Not currently trending
URGENT: #Fedora42’s #Python3 docs have a critical security patch (v3.13.5). Fixes: CVE-2024-12718 (RCE) CVE-2025-4517 (DoS) Update: sudo dnf upgrade Details: 👉 https://t.co/0lLX9RCrru https://t.co/jJGfAJFbhs
@Cezar_H_Linux
28 Jun 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CPython: Multiple CVEs (1 CRITICAL, 3 HIGH, 1 MODERATE) affecting the tarfile module https://t.co/InRDxGsGrc CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718: Bypasses in tarfile extraction filtering CVE-2025-4435: Filtered members not skipped with TarFile.errorlevel=0
@oss_security
24 Jun 2025
176 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical flaw (CVE-2025-4517, CVSS 9.4) in Python's tarfile module allows arbitrary file reads/writes outside the extraction directory. PoC is public; update immediately! #PythonSecurity #TarfileVulnerability #PathTraversal #Cybersecurity https://t.co/uma1v04YHJ
@the_yellow_fall
23 Jun 2025
1728 Impressions
13 Retweets
25 Likes
6 Bookmarks
0 Replies
0 Quotes
⚠️ CVE-2025-4517 Alert: #Python’s tarfile lets attackers overwrite ANY file on your server! 📌 Affected: #Ubuntu 24.04-25.04 🛠️ Fix: sudo apt upgrade python3.12 🔗 Details: 👉 https://t.co/ybcMupxAPF https://t.co/0sFjIz08Yj
@Cezar_H_Linux
20 Jun 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en módulo de Python ❗CVE-2025-4435 ❗CVE-2025-4138 ❗CVE-2025-4330 ❗CVE-2025-4517 ➡️Más info: https://t.co/9kArNzSy3d https://t.co/1GJa9NFyO5
@CERTpy
11 Jun 2025
142 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-4517: CRITICAL] Warning for Python users! Vulnerability in tarfile module allows arbitrary filesystem writes outside the extraction directory when using filter="data". Update to Python 3.12+ to stay ...#cve,CVE-2025-4517,#cybersecurity https://t.co/32vttUFrzX https://t.
@CveFindCom
3 Jun 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes