EUVD-2025-16725
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Tags
Description
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.
Analysis
Logic flaw in Python's TarFile module where the documented behavior of errorlevel=0 (skip filtered members) contradicts the actual implementation (extract filtered members anyway). This affects any application using Python's tarfile library with extraction filters, allowing attackers to extract files that should be blocked, potentially leading to path traversal or extraction of malicious content. The vulnerability has a high CVSS score (7.5) with network-accessible attack vector and no authentication required, though exploitation requires the application to implement extraction filters expecting them to be respected.
Technical Context
Python's tarfile module provides tar archive extraction with security filtering capabilities. When TarFile.errorlevel is set to 0 (the documented 'skip' behavior), filtered archive members should be silently skipped during extraction. However, due to a logic error (CWE-682: Incorrect Calculation), the actual implementation extracts these filtered members regardless of the errorlevel setting. This affects CPE ranges including python:python:* versions in the tarfile module. The root cause is CWE-682 (Incorrect Calculation/Logic Error), indicating a mismatch between intended security logic and implemented behavior. Applications relying on tarfile filters for security (e.g., blocking absolute paths, dangerous symlinks, or specific file patterns) cannot trust the filtering mechanism when errorlevel=0 is set.
Affected Products
Python tarfile module in standard library. Specific CPE data not provided in input, but vulnerability affects: python:python (all versions with the tarfile module where this logic error exists—likely Python 3.x versions prior to patch). Vendors/products affected include: any Python application using tarfile.TarFile.extractall() or extract() with a filter parameter and errorlevel=0 configuration. This includes tools like pip, package managers, deployment tools, and backup/extraction utilities built on Python's tarfile. Exact patched version numbers require reference to Python's official security advisory (python.org/dev/peps/pep-0506 or security.python.org).
Remediation
Immediate remediation: (1) Upgrade Python to the patched version once released (consult security.python.org for exact version bumps). (2) Workaround for applications: do not rely on errorlevel=0 for security filtering—instead, validate extracted file paths and permissions independently before extraction. (3) Avoid using tarfile extraction filters as a sole security control; implement additional validation logic. (4) If using tarfile, set errorlevel to non-zero values and handle exceptions explicitly rather than silently skipping. (5) For production systems, use allowlists of permitted file paths and reject archives containing unexpected entries. Apply vendor security updates when available. Reference official Python security advisories at https://security.python.org/ for patch availability and version numbers.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| bionic | not-affected | code not present |
| focal | not-affected | code not present |
| jammy | not-affected | code not present |
| trusty | not-affected | code not present |
| xenial | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| trusty | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| trusty | not-affected | code not present |
| xenial | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| bionic | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| bionic | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| bionic | not-affected | code not present |
| focal | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| focal | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| jammy | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| jammy | not-affected | code not present |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| noble | released | 3.12.3-1ubuntu0.7 |
| oracular | released | 3.12.7-1ubuntu2.2 |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | released | 3.13.0-1ubuntu0.3 |
| plucky | released | 3.13.3-1ubuntu0.2 |
| upstream | released | 3.13.4 |
| questing | not-affected | 3.13.5 |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | released | 3.14.0b3 |
| questing | released | 3.14.0-1 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.7.2+repack1-3 | - |
| forky, sid, bookworm, trixie | fixed | 2.7.3+repack1-1 | - |
| (unstable) | not-affected | - | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 7.3.5+dfsg-2+deb11u5 | - |
| bookworm | vulnerable | 7.3.11+dfsg-2+deb12u3 | - |
| trixie | vulnerable | 7.3.19+dfsg-2 | - |
| forky, sid | fixed | 7.3.20+dfsg-4 | - |
| experimental | fixed | 7.3.20+dfsg-1 | - |
| (unstable) | fixed | 7.3.20+dfsg-2 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.7.18-8+deb11u1 | - |
| (unstable) | not-affected | - | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | not-affected | - | - |
| bookworm (security) | fixed | 3.11.2-6+deb12u3 | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | fixed | 3.13.5-2 | - |
| forky, sid | fixed | 3.13.12-1 | - |
| (unstable) | fixed | 3.13.4-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 3.9.2-1 | - |
| bullseye (security) | fixed | 3.9.2-1+deb11u5 | - |
| (unstable) | not-affected | - | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today