SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-4517

CVE-2025-4517: Python tarfile Path Traversal Vulnerability

CVE-2025-4517 is a path traversal vulnerability in Python's tarfile module that allows arbitrary filesystem writes during extraction with filter=data. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-4517 Overview

CVE-2025-4517 allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data" using Python's tarfile module.

Users are affected by this vulnerability if they use the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter= parameter set to "data" or "tar”. This vulnerability is significant starting from Python 3.14 where the default value of filter= changed to "data".

Note that while source distributions of tar archives allow arbitrary code execution during the build process, caution should be exercised to avoid installing suspicious source distributions.

Critical Impact

Unchecked archive extraction can lead to unauthorized filesystem writes, posing significant security risks.

Affected Products

  • Not Available

Discovery Timeline

  • 2025-06-03 - CVE-2025-4517 published to NVD
  • 2025-06-05 - Last updated in NVD database

Technical Details for CVE-2025-4517

Vulnerability Analysis

The vulnerability arises when using Python's tarfile module to extract archives with specific filters that do not adequately check the file paths of the extracted contents. An attacker can craft an archive that when extracted, can write files outside the intended directory.

Root Cause

Improper validation of filter="data" and filter="tar" parameters during tarball extraction, leading to path traversal vulnerability.

Attack Vector

Network-based attacks using malicious tarballs that users download and extract using affected Python scripts.

python
# Example exploitation code (sanitized)
import tarfile

def extract_malicious_tar():
    with tarfile.open('malicious.tar', 'r') as archive:
        archive.extractall(path='.', filter='data')  # beware of the filter setting

Detection Methods for CVE-2025-4517

Indicators of Compromise

  • Unusual file modifications outside intended directories
  • Unexpected tarfile extraction activities
  • Access logs showing downloads of suspicious tar archives

Detection Strategies

Utilize file integrity monitoring tools to detect unauthorized file writes outside expected directories. Review logs for tarfile usage.

Monitoring Recommendations

Regularly check for anomalous file writes and verify archive extraction logs to detect unusual TarFile.extractall() or TarFile.extract() operations.

How to Mitigate CVE-2025-4517

Immediate Actions Required

  • Validate tarball sources before extraction.
  • Implement additional path sanitization checks.
  • Update Python to use patched versions.

Patch Information

Users should monitor Python's official repositories and apply available patches. References to relevant patches include:

Workarounds

Avoid using the filter= parameter or strictly control its usage. Consider using alternative extraction libraries that provide enhanced security checks.

bash
# Configuration example
# Avoid using vulnerable extraction filters in Python scripts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne