cpython: python: Extraction filter bypass for linking outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows bypassing of extraction filters, enabling symlink traversal outside the intended extraction directory and potential modification of file metadata via malicious tar archives using TarFile.extractall or TarFile.extract with the...

python: cpython: Arbitrary writes via tarfile realpath overflow

A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall or TarFile.extract methods with the extraction filter parameter set to "data" or "tar"...

cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

A flaw was found in the Python tarfile module. This vulnerability allows attackers to bypass extraction filters, enabling symlink targets to escape the destination directory and allowing unauthorized modification of file metadata via the use of TarFile.extract or TarFile.extractall with the filte...

cpython: python: Bypass extraction filter to modify file metadata outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters...

cpython: python: Extraction filter bypass for linking outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows bypassing of extraction filters, enabling symlink traversal outside the intended extraction directory and potential modification of file metadata via malicious tar archives using TarFile.extractall or TarFile.extract with the...

cpython: python: Bypass extraction filter to modify file metadata outside extraction directory

A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters...

Amazon Linux 2023 : python3, python3-devel, python3-idle (ALAS2023-2025-1046)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1046 advisory. Allows modifying some file metadata e.g. last modified with filter=data or file permissions chmod with filter=tar of files outside the extraction directory.You are affected by this vulnerabili...

TencentOS Server 3: python3.11-pip (TSSA-2023:0278)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2023:0278 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

Path Traversal

Python tarfile module is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths during extraction with TarFile.extractall or TarFile.extract when using the filter="data" or filter="tar" parameter, which allows an attacker to craft a malicious tar archive that...

SUSE CVE-2024-12718

Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

SUSE CVE-2025-4517

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...

DEBIAN-CVE-2025-4138

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

PSF-2025-6

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

CVE-2025-4330 Extraction filter bypass for linking outside extraction directory

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

Medium: python3.11-pip

Issue Overview: Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. dot dot sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. CVE-2007-4559...

Medium: python-pip

Issue Overview: Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. dot dot sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. CVE-2007-4559...

Amazon Linux 2 : python-pip (ALAS-2025-2814)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2814 advisory. Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. dot dot sequence i...

Linux Distros Unpatched Vulnerability : CVE-2007-4559

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite...

CLSA-2025-1740599937 python3: Fix of CVE-2007-4559

CVE-2007-4559: implement PEP 706 - a filter in the tarfile module to prevent directory traversal vulnerability...

python: cpython: tarfile: ReDos via excessive backtracking while parsing header values

A regular expression denial of service ReDos vulnerability was found in Python's tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive...