CVE-2025-4435

Tarfile extracts filtered members when errorlevel=0

Description

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.04%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/issues/135034 issue tracking
https://github.com/python/cpython/pull/135037 patch
https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/ vendor advisory
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a patch
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a patch
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da patch
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01 patch
https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9 patch
https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e patch
https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a patch
https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1 patch

Frequently Asked Questions

What is the severity of CVE-2025-4435?
CVE-2025-4435 has been scored as a high severity vulnerability.
How to fix CVE-2025-4435?
To fix CVE-2025-4435, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-4435 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4435 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4435?
CVE-2025-4435 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.