+372 5626264

Critical Vulnerability Discovered in Python TarFile Module

Information security experts have discovered five vulnerabilities in the Python TarFile module, one of which has a critical severity level and allows writing files to any part of the file system when unpacking specially crafted archives.

G. Ostrov

Security researchers have identified serious vulnerabilities in the Python TarFile module, which is part of Python\'s standard library and provides functions for working with tar archives. Five vulnerabilities were discovered, one of which has been classified as critical.

Critical Vulnerability CVE-2025-4517

The most dangerous vulnerability received the identifier CVE-2025-4517 and allows writing files to any part of the file system when unpacking specially crafted archives. This can lead to:

  • Privilege escalation in the system
  • Container escape from isolated environments
  • System compromise when used in scripts with root privileges

The vulnerability affects projects using TarFile.extractall() or TarFile.extract() functions with the filter parameter set to \"data\" or \"tar\". The issue is caused by incorrect handling of the \"..\" sequence in link names.

Additional Vulnerabilities

Besides the critical vulnerability, four other security issues were discovered:

CVE-2025-4330

Possibility to bypass extraction data filters, which may lead to extraction of symbolic links pointing outside the base extraction directory.

CVE-2025-4138

Ability to create arbitrary symbolic links outside the base directory when using the filter=\"data\" parameter.

CVE-2024-12718

Possibility to modify file metadata outside the base directory, including modification time and access permissions.

CVE-2025-4435

Incorrect behavior when setting the TarFile.errorlevel parameter to 0, where files were extracted instead of being ignored.

Fixes and Recommendations

All vulnerabilities have been fixed in Python versions 3.13.4 and 3.12.11. Developers are strongly advised to:

  • Update Python to the latest versions
  • Review code using the TarFile module
  • Avoid unpacking untrusted archives without additional checks
  • Use secure filters when working with archives

Security Impact

The vulnerabilities are particularly dangerous for:

  • Package management systems
  • Container technologies
  • Web applications processing uploaded archives
  • Automated data processing systems

System administrators should immediately update Python versions and check applications using the TarFile module for processing external data.

Detailed information about the vulnerabilities is available in the official Python repository.

If you encounter any issues, contact us, we\'ll help you quickly and efficiently!