CVE-2025-8194 – A vulnerability in CPython's tarfile module all... (How to Fix)

Q: What is the severity of CVE-2025-8194?

CVE-2025-8194 has a CVSS score of 7.5 (HIGH). A vulnerability in CPython's tarfile module allows malicious tar archives with negative offsets to cause infinite loops and deadlocks during extraction or enumeration. This affects any Python application that processes untrusted tar files using the vulnerable TarFile APIs. The vulnerability can lead to denial of service conditions.

📋 TL;DR

A vulnerability in CPython's tarfile module allows malicious tar archives with negative offsets to cause infinite loops and deadlocks during extraction or enumeration. This affects any Python application that processes untrusted tar files using the vulnerable TarFile APIs. The vulnerability can lead to denial of service conditions.

💻 Affected Systems

Products:

CPython (Python programming language)

Versions: All versions before the fix commits (specific version numbers not provided in CVE)

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using tarfile.TarFile extraction or entry enumeration APIs. Simple tarfile.open() usage may also be vulnerable depending on implementation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through resource exhaustion (CPU/memory) when processing malicious archives, potentially crashing applications or making services unavailable.

🟠

Likely Case

Application hangs or becomes unresponsive when processing specially crafted tar files, requiring manual intervention to restore service.

🟢

If Mitigated

With proper input validation and patching, the vulnerability is eliminated and tar processing functions normally.

🌐 Internet-Facing: HIGH - Any internet-facing service that accepts tar file uploads or processes tar archives from untrusted sources is vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal systems processing tar files from potentially untrusted sources could experience service disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Creating malicious tar archives with negative offsets is straightforward. The gist reference provides example code demonstrating the issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions containing commits: 57f5981d6260ed21266e0c26951b8564cc252bc2, 7040aa54f14676938970e10c5f74ea93cd56aa38, 73f03e4808206f71eb6b92c579505a220942ef19, b4ec17488eedec36d3c05fec127df71c0071f6cb

Vendor Advisory: https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2

Restart Required: No

Instructions:

1. Update Python to a version containing the fix commits. 2. For immediate mitigation, apply the patch from the gist after importing tarfile module. 3. Test tar processing functionality after patching.

🔧 Temporary Workarounds

Apply runtime patch

all

Apply the provided gist patch after importing tarfile module to reject archives with negative offsets

# Apply the patch from: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
# Copy the patch code and execute it after 'import tarfile' in your application

Input validation wrapper

all

Create a wrapper function that validates tar files before processing

def safe_tar_extract(tar_path, extract_path):
    import tarfile
    # Add validation logic here
    # Check file size, structure before processing
    with tarfile.open(tar_path) as tar:
        tar.extractall(extract_path)

🧯 If You Can't Patch

Implement strict input validation for all tar file processing - reject files from untrusted sources
Monitor application logs for tar processing hangs and implement automatic restart mechanisms for affected services

🔍 How to Verify

Check if Vulnerable:

Test with a crafted tar file containing negative offsets. If the application hangs or enters infinite loop, it's vulnerable.

Check Version:

python --version or python -c "import tarfile; print(tarfile.__file__)" to check module location

Verify Fix Applied:

After patching, test with the same malicious tar file - it should raise an error instead of hanging.

📡 Detection & Monitoring

Log Indicators:

Application hangs during tar processing
High CPU usage by Python processes handling tar files
Timeout errors in tar-related operations

Network Indicators:

Unusually large number of tar file uploads to vulnerable endpoints
Repeated connection attempts to tar processing services

SIEM Query:

source="application.logs" AND ("tarfile" OR ".tar" OR ".tar.gz") AND ("hang" OR "timeout" OR "high_cpu")

📊 Metadata

CVE ID: CVE-2025-8194

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.15% exploit probability (35.2th percentile)

Published: July 28, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8194, you might also want to check these: