34 matches found
CVE-2026-57516
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...
EUVD-2026-41089
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...
CVE-2026-57516
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...
Symlink Attack
Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Symlink Attack in the safeextracttarfile function. An attacker can overwrite arbitrary files on the host filesystem, potentially leading to remote code execution, by crafting ...
Relative Path Traversal
Overview @vltpkg/tar is an An extremely limited and very fast tar extractor Affected versions of this package are vulnerable to Relative Path Traversal via improper sanitization of file paths during the extraction process. An attacker can overwrite arbitrary files on the filesystem by crafting ta...
TencentOS Server 3: python3 (TSSA-2025:0796)
The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0796 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...
EUVD-2025-7031
Malicious code in bioql PyPI...
EUVD-2025-6946
Malicious code in bioql PyPI...
CLSA-2025-1758101956 Fix CVE(s): CVE-2025-8194
SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194...
Alibaba Cloud Linux 3 : 0147: python3 (ALINUX3-SA-2025:0147)
The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2025:0147 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-8194: There is a defect in the CPython...
BIT-LIBPYTHON-2025-8194 Tarfile infinite loop during parsing with negative member offset
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives...
CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives...
CPython 安全漏洞
CPython is a Python interpreter implemented in C from the Python Foundation. A security vulnerability exists in CPython that stems from a malicious tar file that could lead to an infinite loop and deadlock...
cpython: python: Extraction filter bypass for linking outside extraction directory
A flaw was found in CPython's tarfile module. This vulnerability allows bypassing of extraction filters, enabling symlink traversal outside the intended extraction directory and potential modification of file metadata via malicious tar archives using TarFile.extractall or TarFile.extract with the...
cpython: python: Bypass extraction filter to modify file metadata outside extraction directory
A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters...
Path Traversal
Python tarfile module is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths during extraction with TarFile.extractall or TarFile.extract when using the filter="data" or filter="tar" parameter, which allows an attacker to craft a malicious tar archive that...
CVE-2024-12718
A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters. Mitigation Mitigatio...
Deserialization of Untrusted Data
Overview torch is a Tensors and Dynamic neural networks in Python with strong GPU acceleration Affected versions of this package are vulnerable to Deserialization of Untrusted Data when using the torch.load function on an untrusted model with weightsonly=True, which is documented to be secure. Th...
tar-fs 安全漏洞
tar-fs is a tar-stream file system bundle. A security vulnerability exists in tar-fs versions prior to 1.16.4, prior to 2.1.2, and prior to 3.0.8, which originates from path traversal when decompressing a malicious tar file...
CVE-2024-7776
A flaw was found in the ONNX framework. This vulnerability allows arbitrary file overwrite via a path traversal attack in malicious tar files. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprisi...