CVE-2024-12718 in CPython
Summary
by MITRE • 06/03/2025
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/21/2025
The vulnerability identified as CVE-2024-12718 represents a critical directory traversal flaw within Python's tarfile module that specifically affects versions 3.12 and later. This security issue arises from improper validation of file paths during tar archive extraction when using the filter parameter with values of "data" or "tar". The flaw enables malicious actors to manipulate file metadata or modify permissions of files located outside the intended extraction directory, effectively bypassing directory restrictions that should normally contain archive contents within a designated boundary. This vulnerability directly maps to CWE-22 known as "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", which is a fundamental security weakness that allows attackers to access files and directories outside the intended scope.
The technical implementation of this vulnerability stems from the tarfile module's handling of extraction filters, particularly when the filter="data" or filter="tar" parameters are employed during TarFile.extractall() or TarFile.extract() operations. When these filters are used, the module processes file paths without adequate validation to ensure they remain within the designated extraction directory. This oversight creates a scenario where archive entries containing "../" sequences or absolute paths can successfully traverse the file system hierarchy, allowing attackers to modify files in arbitrary locations. The issue is particularly concerning because Python 3.14 and later versions have changed the default filter behavior from "no filtering" to "data", meaning applications that rely on default settings without explicit parameter configuration are also at risk. The ATT&CK framework categorizes this as a privilege escalation technique under T1068, where adversaries leverage software vulnerabilities to gain elevated access rights.
The operational impact of CVE-2024-12718 extends beyond simple file system manipulation to potentially enable more sophisticated attack vectors. An attacker who successfully exploits this vulnerability can modify file timestamps, change file permissions, and potentially overwrite critical system files or configuration data located outside the extraction directory. This capability significantly increases the attack surface for systems processing untrusted tar archives, particularly in environments where automated build processes or package installations occur. The vulnerability is especially dangerous in continuous integration pipelines, automated deployment systems, or any scenario where tar archives from untrusted sources are automatically extracted without proper sanitization. The risk is compounded because the exploitation requires minimal privileges and can be executed through standard tar archive processing operations, making it difficult to detect and prevent through traditional security monitoring approaches.
Mitigation strategies for CVE-2024-12718 should focus on both immediate remediation and long-term architectural improvements. Organizations should immediately upgrade to Python versions that contain the relevant security patches, or implement explicit filter parameter validation when processing untrusted tar archives. The recommended approach involves either avoiding the use of filter="data" or filter="tar" parameters entirely, or implementing additional path validation logic that explicitly checks for directory traversal attempts before extraction. Security teams should also consider implementing sandboxed environments for processing untrusted archives, where file system access is strictly limited to designated directories. Additionally, organizations should review their automated processes to ensure that source distribution installations are performed with appropriate security controls, including verification of archive integrity and careful monitoring for suspicious file paths. The implementation of these mitigations aligns with security best practices outlined in the OWASP Top Ten and should be integrated into existing security frameworks to prevent similar vulnerabilities from compromising system integrity.