Lucene search
K

211 matches found

euvd
euvd
added 2025/10/03 8:7 p.m.11 views

EUVD-2025-16736

Malicious code in bioql PyPI...

9.4CVSS6.6AI score0.01184EPSS
Exploits11References13
mscve
mscve
added 2025/09/27 8:2 a.m.3 views

Fallback tar extraction in pip doesn't check symbolic links point to extraction directory

...

5.9CVSS7AI score0.00438EPSS
Exploits0
snyk
snyk
added 2025/09/24 6:57 p.m.3 views

Symlink Following

Overview org.webjars.npm:tar-fs is a filesystem bindings for tar-stream. Affected versions of this package are vulnerable to Symlink Following via the symlink validation process in the inCwd function. An attacker can write files outside the intended extraction directory by crafting a malicious...

8.7CVSS6.9AI score0.00516EPSS
Exploits0References3
osv
osv
added 2025/09/24 3:31 p.m.1 views

GHSA-4XH5-X5GV-QWPH pip's fallback tar extraction doesn't check symbolic links point to extraction directory

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python versi...

5.9CVSS7.9AI score0.00438EPSS
Exploits0References7
cve
cve
added 2025/09/24 2:56 p.m.56 views

CVE-2025-8869

CVENote (CVE-2025-8869): Pip’s tar extraction fallback, used on Python builds that do not implement PEP 706, may fail to prevent symbolic links from pointing outside the extraction directory. This is a vulnerability in the tar extraction path, not in all Python tar handling. Affected scenario occ...

5.9CVSS6.5AI score0.00438EPSS
Exploits0References3
cvelist
cvelist
added 2025/09/24 2:56 p.m.12 views

CVE-2025-8869 Fallback tar extraction in pip doesn't check symbolic links point to extraction directory

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python versi...

5.9CVSS0.00438EPSS
Exploits0References2
osv
osv
added 2025/08/11 1:52 p.m.8 views

BIT-LIBPYTHON-2024-12718 Bypass extraction filter to modify file metadata outside extraction directory

Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

5.3CVSS8AI score0.00637EPSS
Exploits1References14
mscve
mscve
added 2025/07/11 7:0 a.m.7 views

Extraction filter bypass for linking outside extraction directory

...

8.1CVSS6.6AI score0.00767EPSS
Exploits2
mscve
mscve
added 2025/07/11 7:0 a.m.8 views

Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

...

8.1CVSS7.4AI score0.01109EPSS
Exploits7
mscve
mscve
added 2025/07/11 7:0 a.m.6 views

Bypass extraction filter to modify file metadata outside extraction directory

...

5.3CVSS7.6AI score0.00637EPSS
Exploits1
osv
osv
added 2025/07/10 9:2 a.m.89 views

BIT-PYTHON-2025-4517 Arbitrary writes via tarfile realpath overflow

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...

9.4CVSS9.7AI score0.01184EPSS
Exploits11References13
osv
osv
added 2025/07/10 9:2 a.m.17 views

BIT-PYTHON-2025-4138 Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

7.5CVSS8.2AI score0.01109EPSS
Exploits7References13
osv
osv
added 2025/07/10 9:1 a.m.24 views

BIT-PYTHON-2024-12718 Bypass extraction filter to modify file metadata outside extraction directory

Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

5.3CVSS7AI score0.00637EPSS
Exploits1References14
redhat
redhat
added 2025/07/08 11:17 a.m.5 views

python: cpython: Arbitrary writes via tarfile realpath overflow

A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall or TarFile.extract methods with the extraction filter parameter set to "data" or "tar"...

9.4CVSS6.7AI score0.01184EPSS
Exploits11References10
redhat
redhat
added 2025/07/08 11:17 a.m.7 views

cpython: python: Bypass extraction filter to modify file metadata outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters...

5.3CVSS7.1AI score0.00637EPSS
Exploits1References11
redhat
redhat
added 2025/07/07 4:21 p.m.8 views

cpython: python: Bypass extraction filter to modify file metadata outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters...

5.3CVSS7.1AI score0.00637EPSS
Exploits1References11
redhat
redhat
added 2025/07/07 11:25 a.m.6 views

python: cpython: Arbitrary writes via tarfile realpath overflow

A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall or TarFile.extract methods with the extraction filter parameter set to "data" or "tar"...

9.4CVSS6.7AI score0.01184EPSS
Exploits11References10
redhat
redhat
added 2025/07/07 11:25 a.m.8 views

cpython: python: Bypass extraction filter to modify file metadata outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters...

5.3CVSS7.1AI score0.00637EPSS
Exploits1References11
redhat
redhat
added 2025/07/07 11:25 a.m.8 views

cpython: python: Extraction filter bypass for linking outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows bypassing of extraction filters, enabling symlink traversal outside the intended extraction directory and potential modification of file metadata via malicious tar archives using TarFile.extractall or TarFile.extract with the...

7.5CVSS6.2AI score0.00767EPSS
Exploits2References10
redhat
redhat
added 2025/07/02 6:27 a.m.6 views

python: cpython: Arbitrary writes via tarfile realpath overflow

A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall or TarFile.extract methods with the extraction filter parameter set to "data" or "tar"...

9.4CVSS6.7AI score0.01184EPSS
Exploits11References10
Rows per page
Query Builder