In the Python module, which is included in the full-time supply tarfile, providing the functions for reading and recording TAR archings, revealed five vulnerabilities, one of which is assigned a critical level of danger. Vulnerability eliminated in the issues python 3.13.4 and 12.12.11. The most dangerous vulnerability (cve-2025-4517) makes it possible to write files to any part of the file system when unpacking a specially designed archive. In system scripts using Tarfile and launched with Root rights (for example, in utilities for working with packages and insulated containers), this vulnerability can be used to increase their privileges or exit the limits of an isolated container.
Vulnerability affects the projects in which the Tarfile module is used to unpack the trust of the TAR archives using the tarfile.extractall() or tarfile.extract() function with the parameter “filter=, set into “Data” or “TAR”. The vulnerability caused by incorrect processing of the sequence “..” in the link name. The problem affects Python version starting from 3.12. The ‘Filter=”Data” mode is used by default in the Python 3.14 branch, which is in development (release is planned for autumn).
Other vulnerabilities in Tarfile:
- cve-2025-4330 – the possibility of