CVE-2025-4330Path Traversal in Software Foundation Cpython

CWE-22Path Traversal9 documents8 sources
Severity
7.5HIGHNVD
EPSS
1.0%
top 22.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedJun 3
Latest updateJun 19

Description

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.10.03.10.18+5

🔴Vulnerability Details

4
GHSA
GHSA-68pj-xrp5-vccj: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file met2025-06-03
CVEList
Extraction filter bypass for linking outside extraction directory2025-06-03
OSV
CVE-2025-4330: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file met2025-06-03
OSV
CVE-2025-4330: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file met2025-06-03

📋Vendor Advisories

4
Ubuntu
Python vulnerabilities2025-06-19
Microsoft
Extraction filter bypass for linking outside extraction directory2025-06-10
Red Hat
cpython: python: Extraction filter bypass for linking outside extraction directory2025-06-03
Debian
CVE-2025-4330: jython - Allows the extraction filter to be ignored, allowing symlink targets to point ou...2025
CVE-2025-4330 — Path Traversal | cvebase