959 matches found
PSF-2025-5
Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
CVE-2024-12718
Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
CVE-2025-4435 Tarfile extracts filtered members when errorlevel=0
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped...
CVE-2025-4435 Tarfile extracts filtered members when errorlevel=0
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped...
PSF-2025-8
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped...
CVE-2025-4435
CVE-2025-4435 affects CPython tarfile: when TarFile.errorlevel=0 and a filter is used, the filter-verified members could be extracted instead of skipped. Root cause described as the extraction filter bypassing for errorlevel=0 in affected versions. Impact per CVSS: HIGH (I) with no availability o...
Use of Incorrectly-Resolved Name or Reference
Overview Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the tarfile process when errorlevel is set to 0 and a filter is applied. An attacker can cause unauthorized files to be extracted by convincing a privileged user or process to extract a...
CVE-2025-4435
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via TarFile.extractall and TarFile.extract functions in the tarfile module when using the filter parameter set to data or tar. An attacker can gain unauthorised access to files outside the intended extraction directo...
CVE-2025-4138
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
PSF-2025-6
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
CVE-2025-4138
CVE-2025-4138 affects Python’s tarfile module when using TarFile.extractall() or TarFile.extract() with filter='data' or 'tar'. The extraction filter can be bypassed, allowing symlink targets to point outside the destination directory and enabling modification of some file metadata. This issue is...
CVE-2025-4330 Extraction filter bypass for linking outside extraction directory
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
CVE-2025-4330
CVE-2025-4330 affects Python tarfile extraction: when using TarFile.extractall() or TarFile.extract() with filter=“data” or “tar”, the extraction filter can be bypassed, allowing symlink targets and some file metadata to be manipulated outside the destination directory. Affected Python versions a...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the tarfile module's extraction process when using the extractall or extract functions with the filter parameter set to "data" or "tar". An attacker can cause files or symlinks to be created outside the intended...
CVE-2025-4330
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
PSF-2025-7
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...
CVE-2025-4517 Arbitrary writes via tarfile realpath overflow
Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...
CVE-2025-4517 Arbitrary writes via tarfile realpath overflow
Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the tarfile extraction process when using the filter parameter set to "data" or "tar". An attacker can write files outside the intended extraction directory by convincing a privileged user or process to extract a...