CVE-2025-4435

Description

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Reserved 2025-05-08 | Published 2025-06-03 | Updated 2025-06-04 | Assigner PSF

Product status

Default status
unaffected

Any version before 3.9.23
affected

3.10.0 before 3.10.18
affected

3.11.0 before 3.11.13
affected

3.12.0 before 3.12.11
affected

3.13.0 before 3.13.4
affected

3.14.0a1 before 3.14.0
affected

Credits

Chuck Woodraska reporter

Petr Viktorin remediation developer

Serhiy Storchaka remediation developer

Hugo van Kemenade remediation reviewer

Łukasz Langa remediation reviewer

Thomas Wouters remediation reviewer

Seth Larson coordinator

Matt Prodani remediation developer

References

github.com/python/cpython/issues/135034 issue-tracking

github.com/python/cpython/pull/135037 patch

mail.python.org/.../thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/ vendor-advisory

github.com/...ommit/3612d8f51741b11f36f8fb0494d79086bac9390a patch

github.com/...ommit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a patch

github.com/...ommit/19de092debb3d7e832e5672cc2f7b788d35951da patch

github.com/...ommit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01 patch

github.com/...ommit/28463dba112af719df1e8b0391c46787ad756dd9 patch

github.com/...ommit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e patch

github.com/...ommit/9c1110ef6652687d7c55f590f909720eddde965a patch

github.com/...ommit/dd8f187d0746da151e0025c51680979ac5b4cfb1 patch

cve.org (CVE-2025-4435)

nvd.nist.gov (CVE-2025-4435)

Download JSON