Login Sign Up

CVE-2025-4435

7.5 HIGH

📋 TL;DR

This vulnerability in Python's tarfile module allows filtered tar archive members to be extracted when they should be skipped, bypassing intended security filters. This affects applications using Python's tarfile module with errorlevel=0 and custom extraction filters. Attackers could exploit this to extract malicious files that should have been blocked.

💻 Affected Systems

Products:
  • Python
Versions: Python 3.8.0 through 3.13.0 (specific affected versions need verification from commits)
Operating Systems: All operating systems running affected Python versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using tarfile with errorlevel=0 and custom extraction filters. Default errorlevel=2 is not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious tar archives could bypass security filters and extract malware, backdoors, or sensitive files to arbitrary locations, potentially leading to remote code execution or data exfiltration.

🟠

Likely Case

Attackers could bypass tar extraction filters to place malicious files in unexpected locations, potentially leading to privilege escalation or persistence mechanisms.

🟢

If Mitigated

With proper input validation and sandboxing, the impact is limited to unexpected file extraction without execution capabilities.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the attacker to provide a malicious tar file and the victim to process it with vulnerable tarfile configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.13.1 and later; backported to 3.12.x, 3.11.x, 3.10.x, 3.9.x, 3.8.x (check specific patch versions)

Vendor Advisory: https://github.com/python/cpython/security/advisories

Restart Required: No

Instructions:

1. Update Python to patched version. 2. For systems with Python from OS package manager, use system update commands. 3. For custom Python installations, download and install from python.org or use package manager.

🔧 Temporary Workarounds

Use errorlevel=2

all

Set tarfile.errorlevel=2 instead of 0 to maintain proper filter behavior

tarfile.errorlevel = 2

Avoid custom filters with errorlevel=0

all

Do not use custom extraction filters when errorlevel is set to 0

🧯 If You Can't Patch

  • Implement strict input validation for tar files from untrusted sources
  • Run tar extraction in sandboxed/isolated environments with limited permissions

🔍 How to Verify

Check if Vulnerable:

Check Python version and verify if tarfile extraction with errorlevel=0 and filters behaves incorrectly

Check Version:

python --version

Verify Fix Applied:

Test tar extraction with errorlevel=0 and filters to confirm filtered members are properly skipped

📡 Detection & Monitoring

Log Indicators:

  • Unexpected tar extraction logs
  • Files appearing in locations that should be filtered

Network Indicators:

  • Inbound tar files to applications using Python tarfile module

SIEM Query:

Process execution with tarfile module AND (errorlevel=0 OR custom filters)

📊 Metadata

CVE ID: CVE-2025-4435
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-682
EPSS Score: 0.09% exploit probability (24.7th percentile)
Published: June 3, 2025
Last Updated: June 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4435, you might also want to check these:

CVE-2023-2163 10.0

A Linux kernel vulnerability in the BPF verifier incorrectly marks unsafe code paths as safe, allowi...

Same vulnerability type (CWE-682)
CVE-2026-1229 9.8

A cryptographic vulnerability in CIRCL's P-384 elliptic curve implementation produces incorrect Comb...

Same vulnerability type (CWE-682)
CVE-2024-36736 9.8

CVE-2024-36736 is a critical vulnerability in OneFlow's permute component that causes incorrect calc...

Same vulnerability type (CWE-682)