BIT-MLFLOW-2025-15031 Path Traversal Vulnerability in mlflow/mlflow

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...

cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

A flaw was found in the Python tarfile module. This vulnerability allows attackers to bypass extraction filters, enabling symlink targets to escape the destination directory and allowing unauthorized modification of file metadata via the use of TarFile.extract or TarFile.extractall with the filte...

Keras Directory Traversal Vulnerability

Summary Keras's keras.utils.getfile function is vulnerable to directory traversal attacks despite implementing filtersafepaths. The vulnerability exists because extractarchive uses Python's tarfile.extractall method without the security-critical filter="data" parameter. A PATHMAX symlink resoluti...

CVE-2025-12060

The keras.utils.getfile API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special...

EUVD-2024-34368

Malicious code in bioql PyPI...

ROS-20250819-06

Vulnerability of TarFile.extractall and TarFile.extract functions of tarfile module of Python programming language interpreter CPython is related to incorrect restriction of path name of restricted directory. Python programming language interpreter CPython functions TarFile.extractall and...

The vulnerability of the tarfile.extractall method in the TrueNAS CORE operating system allows a hacker to execute arbitrary code.

The vulnerability of the tarfile.extractall method in the TrueNAS CORE operating system is related to an incorrect limitation on the path name for the restricted access directory. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

CVE-2024-11944

iXsystems TrueNAS CORE tarfile.extractall Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of iXsystems TrueNAS devices. Authentication is not required to exploit this vulnerability. T...

CVE-2024-11944

iXsystems TrueNAS CORE tarfile.extractall Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of iXsystems TrueNAS devices. Authentication is not required to exploit this vulnerability. T...

iXsystems TrueNAS CORE 路径遍历漏洞

iXsystems TrueNAS CORE is an open source storage software from iXsystems. A path traversal vulnerability exists in iXsystems TrueNAS CORE version 13.3-RELEASE, which stems from a lack of proper validation of user-supplied paths in the tarfile.extractall method, which could lead to directory...

PT-2022-16057 · Python +1 · Tarfile.Tarfile +1

Name of the Vulnerable Software and Affected Versions: GuardDog versions prior to 0.1.5 Description: The issue allows an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanne...