CVE-2024-12718 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: How do I fix CVE-2024-12718?

1. Update Python to version 3.12.9+, 3.13.1+, or latest stable release. 2. For Python 3.14+, ensure you're using the patched version. 3. No application restart needed, but restart Python processes to load updated module.

Q: What is the severity of CVE-2024-12718?

CVE-2024-12718 has a CVSS score of 5.3 (MEDIUM). This CVE describes a path traversal vulnerability in Python's tarfile module when using extraction filters. It allows attackers to modify file metadata or permissions outside the intended extraction directory by crafting malicious tar archives. Only Python 3.12+ users extracting untrusted archives with filter='data' or filter='tar' are affected.

📋 TL;DR

This CVE describes a path traversal vulnerability in Python's tarfile module when using extraction filters. It allows attackers to modify file metadata or permissions outside the intended extraction directory by crafting malicious tar archives. Only Python 3.12+ users extracting untrusted archives with filter='data' or filter='tar' are affected.

💻 Affected Systems

Products:

Python
Applications using Python's tarfile module

Versions: Python 3.12.0 through 3.13.0 (before fixes), Python 3.14.0+ with default filter='data'

Operating Systems: All operating systems running affected Python versions

Default Config Vulnerable: ⚠️ Yes

Notes: Python 3.14+ defaults to filter='data', making it vulnerable by default. Earlier Python versions (<3.12) are not affected as they lack the filter parameter.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify critical system files' permissions or timestamps, potentially enabling privilege escalation or disrupting system operations.

🟠

Likely Case

Unauthorized modification of file metadata in user-writable directories, potentially affecting application integrity or enabling further attacks.

🟢

If Mitigated

Limited to metadata/permission changes without file content modification, with proper sandboxing reducing impact.

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded tar files from the internet are at risk.

🏢 Internal Only: LOW - Internal systems rarely process untrusted tar archives from untrusted sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting a malicious tar archive with path traversal sequences. The vulnerability is well-documented with public proof-of-concept examples.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.12.9, 3.13.1, and later versions

Vendor Advisory: https://www.python.org/download/releases/security/

Restart Required: No

Instructions:

1. Update Python to version 3.12.9+, 3.13.1+, or latest stable release. 2. For Python 3.14+, ensure you're using the patched version. 3. No application restart needed, but restart Python processes to load updated module.

🔧 Temporary Workarounds

Use filter='fully_trusted'

all

Set filter parameter to 'fully_trusted' when extracting archives, which disables the vulnerable filtering behavior.

tar.extractall(path='/target', filter='fully_trusted')
tar.extract(member, path='/target', filter='fully_trusted')

Avoid filter parameter for untrusted archives

all

Don't use filter='data' or filter='tar' when extracting untrusted tar archives.

tar.extractall(path='/target')  # Omit filter parameter for Python <3.14
tar.extract(member, path='/target')

🧯 If You Can't Patch

Validate all tar archive paths before extraction to ensure they stay within target directory
Run tar extraction in isolated containers or sandboxes with restricted filesystem access

🔍 How to Verify

Check if Vulnerable:

Check Python version and tarfile usage: if using Python 3.12-3.13 with filter='data'/'tar', or Python 3.14+ with default filter='data' on untrusted archives.

Check Version:

python --version

Verify Fix Applied:

Verify Python version is 3.12.9+, 3.13.1+, or latest. Test extraction with crafted tar containing '../' paths - should be rejected.

📡 Detection & Monitoring

Log Indicators:

Failed tar extraction attempts with path traversal errors
Unexpected file permission or timestamp modifications

Network Indicators:

Large or unusual tar file uploads to web applications

SIEM Query:

Search for process executions of python with tarfile module usage followed by file metadata changes outside expected directories.

📊 Metadata

CVE ID: CVE-2024-12718

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-22

EPSS Score: 0.14% exploit probability (34.3th percentile)

Published: June 3, 2025

Last Updated: July 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12718, you might also want to check these: