CVE-2025-4517 Overview
CVE-2025-4517 allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data" using Python's tarfile module.
Users are affected by this vulnerability if they use the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter= parameter set to "data" or "tar”. This vulnerability is significant starting from Python 3.14 where the default value of filter= changed to "data".
Note that while source distributions of tar archives allow arbitrary code execution during the build process, caution should be exercised to avoid installing suspicious source distributions.
Critical Impact
Unchecked archive extraction can lead to unauthorized filesystem writes, posing significant security risks.
Affected Products
- Not Available
Discovery Timeline
- 2025-06-03 - CVE-2025-4517 published to NVD
- 2025-06-05 - Last updated in NVD database
Technical Details for CVE-2025-4517
Vulnerability Analysis
The vulnerability arises when using Python's tarfile module to extract archives with specific filters that do not adequately check the file paths of the extracted contents. An attacker can craft an archive that when extracted, can write files outside the intended directory.
Root Cause
Improper validation of filter="data" and filter="tar" parameters during tarball extraction, leading to path traversal vulnerability.
Attack Vector
Network-based attacks using malicious tarballs that users download and extract using affected Python scripts.
# Example exploitation code (sanitized)
import tarfile
def extract_malicious_tar():
with tarfile.open('malicious.tar', 'r') as archive:
archive.extractall(path='.', filter='data') # beware of the filter setting
Detection Methods for CVE-2025-4517
Indicators of Compromise
- Unusual file modifications outside intended directories
- Unexpected tarfile extraction activities
- Access logs showing downloads of suspicious tar archives
Detection Strategies
Utilize file integrity monitoring tools to detect unauthorized file writes outside expected directories. Review logs for tarfile usage.
Monitoring Recommendations
Regularly check for anomalous file writes and verify archive extraction logs to detect unusual TarFile.extractall() or TarFile.extract() operations.
How to Mitigate CVE-2025-4517
Immediate Actions Required
- Validate tarball sources before extraction.
- Implement additional path sanitization checks.
- Update Python to use patched versions.
Patch Information
Users should monitor Python's official repositories and apply available patches. References to relevant patches include:
Workarounds
Avoid using the filter= parameter or strictly control its usage. Consider using alternative extraction libraries that provide enhanced security checks.
# Configuration example
# Avoid using vulnerable extraction filters in Python scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
