CVE-2025-8194

Tarfile infinite loop during parsing with negative member offset

Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.06%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/issues/130577 issue tracking
https://github.com/python/cpython/pull/137027 patch
https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/ vendor advisory
https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38 patch
https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe patch
https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 mitigation
https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f patch
https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227 patch

Frequently Asked Questions

What is the severity of CVE-2025-8194?
CVE-2025-8194 has been scored as a high severity vulnerability.
How to fix CVE-2025-8194?
To fix CVE-2025-8194, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-8194 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-8194 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-8194?
CVE-2025-8194 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.