Login Sign Up

CVE-2025-4517

9.4 CRITICAL
Path Traversal

📋 TL;DR

This vulnerability in Python's tarfile module allows attackers to write arbitrary files outside the intended extraction directory when extracting untrusted tar archives using the 'data' or 'tar' filter parameters. It affects Python applications that extract tar files from untrusted sources, particularly those using Python 3.14+ where 'data' became the default filter.

💻 Affected Systems

Products:
  • Python
  • Applications using Python's tarfile module
Versions: Python versions using tarfile module with filter parameter support
Operating Systems: All operating systems running Python
Default Config Vulnerable: ⚠️ Yes
Notes: Python 3.14+ is vulnerable by default due to filter='data' becoming the default. Earlier versions are vulnerable when explicitly using filter='data' or filter='tar'.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary file overwrite leading to remote code execution, privilege escalation, or data destruction.

🟠

Likely Case

Arbitrary file writes leading to web shell deployment, configuration file modification, or data corruption.

🟢

If Mitigated

Limited impact if only trusted archives are processed or proper sandboxing is implemented.

🌐 Internet-Facing: HIGH - Web applications processing user-uploaded tar files are directly exposed.
🏢 Internal Only: MEDIUM - Internal systems processing tar files from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only a malicious tar archive and vulnerable tarfile extraction code. The GitHub references contain technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python versions with fixes from the referenced commits

Vendor Advisory: https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f

Restart Required: No

Instructions:

1. Update Python to version containing fixes from referenced commits. 2. For Python 3.14+, ensure filter='none' is used for untrusted archives. 3. Apply patches from Python's GitHub repository if updating is not possible.

🔧 Temporary Workarounds

Use filter='none' for untrusted archives

all

Explicitly set filter='none' when extracting untrusted tar archives to disable the vulnerable filtering behavior.

tar.extractall(path='/safe/path', filter='none')
tar.extract(member, path='/safe/path', filter='none')

Sandbox extraction directory

all

Extract archives to isolated, restricted directories with minimal permissions.

🧯 If You Can't Patch

  • Avoid extracting untrusted tar archives entirely
  • Implement strict input validation and only process archives from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check Python code for tarfile.extractall() or tarfile.extract() calls with filter='data' or filter='tar', or no filter parameter on Python 3.14+.

Check Version:

python --version

Verify Fix Applied:

Verify Python version includes fixes from referenced commits and code uses filter='none' for untrusted archives.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file writes outside extraction directories
  • Tar extraction errors or warnings

Network Indicators:

  • Inbound tar file uploads to vulnerable endpoints

SIEM Query:

Search for process execution of python with tarfile operations or file writes in unexpected locations.

📊 Metadata

CVE ID: CVE-2025-4517
CVSS v3 Score: 9.4 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-22
EPSS Score: 0.05% exploit probability (14.8th percentile)
Published: June 3, 2025
Last Updated: June 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4517, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)