CVE-2025-4138 — Path Traversal in Software Foundation Cpython
Severity
7.5HIGHNVD
EPSS
0.3%
top 49.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 3
Latest updateJun 19
Description
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages1 packages
🔴Vulnerability Details
4OSV▶
CVE-2025-4138: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file met↗2025-06-03
GHSA▶
GHSA-4g4g-fqw4-prp2: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file met↗2025-06-03
OSV▶
CVE-2025-4138: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file met↗2025-06-03
CVEList▶
Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory↗2025-06-03
📋Vendor Advisories
4Microsoft▶
Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory↗2025-06-10
Red Hat▶
cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory↗2025-06-03
Debian▶
CVE-2025-4138: jython - Allows the extraction filter to be ignored, allowing symlink targets to point ou...↗2025