Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-4435

Summary
Assigner-PSF
Assigner Org ID-28c92f92-d60d-412d-b760-e73465c3df22
Published At-03 Jun, 2025 | 12:59
Updated At-07 Jul, 2025 | 17:36
Rejected At-
Credits

Tarfile extracts filtered members when errorlevel=0

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:PSF
Assigner Org ID:28c92f92-d60d-412d-b760-e73465c3df22
Published At:03 Jun, 2025 | 12:59
Updated At:07 Jul, 2025 | 17:36
Rejected At:
▼CVE Numbering Authority (CNA)
Tarfile extracts filtered members when errorlevel=0

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Affected Products
Vendor
Python Software FoundationPython Software Foundation
Product
CPython
Repo
https://github.com/python/cpython
Modules
  • tarfile
Default Status
unaffected
Versions
Affected
  • From 0 before 3.9.23 (python)
  • From 3.10.0 before 3.10.18 (python)
  • From 3.11.0 before 3.11.13 (python)
  • From 3.12.0 before 3.12.11 (python)
  • From 3.13.0 before 3.13.4 (python)
  • From 3.14.0a1 before 3.14.0b3 (python)
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
Chuck Woodraska
remediation developer
Petr Viktorin
remediation developer
Serhiy Storchaka
remediation reviewer
Hugo van Kemenade
remediation reviewer
Łukasz Langa
remediation reviewer
Thomas Wouters
coordinator
Seth Larson
remediation developer
Matt Prodani
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/python/cpython/issues/135034
issue-tracking
https://github.com/python/cpython/pull/135037
patch
https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
vendor-advisory
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
patch
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
patch
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
patch
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
patch
https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9
patch
https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e
patch
https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a
patch
https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1
patch
Hyperlink: https://github.com/python/cpython/issues/135034
Resource:
issue-tracking
Hyperlink: https://github.com/python/cpython/pull/135037
Resource:
patch
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
Resource:
vendor-advisory
Hyperlink: https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-682CWE-682 Incorrect Calculation
Type: CWE
CWE ID: CWE-682
Description: CWE-682 Incorrect Calculation
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@python.org
Published At:03 Jun, 2025 | 13:15
Updated At:04 Jun, 2025 | 14:54

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-682Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-682
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951dacna@python.org
N/A
https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9cna@python.org
N/A
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390acna@python.org
N/A
https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2ecna@python.org
N/A
https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965acna@python.org
N/A
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2acna@python.org
N/A
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01cna@python.org
N/A
https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1cna@python.org
N/A
https://github.com/python/cpython/issues/135034cna@python.org
N/A
https://github.com/python/cpython/pull/135037cna@python.org
N/A
https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/cna@python.org
N/A
Hyperlink: https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/issues/135034
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/pull/135037
Source: cna@python.org
Resource: N/A
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
Source: cna@python.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found