CVE-2025-4330 in CPython
Summary
by MITRE • 06/03/2025
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/21/2025
The vulnerability described in CVE-2025-4330 represents a critical security flaw in Python's tarfile module that undermines the intended protection mechanisms designed to prevent directory traversal attacks during archive extraction. This issue specifically affects the extraction filter functionality that was introduced to enhance security when processing untrusted tar archives. The vulnerability stems from a flaw in how the tarfile module handles symbolic link targets during extraction, allowing attackers to bypass the intended filtering mechanisms and potentially write files outside of the designated extraction directory. This represents a significant deviation from the expected behavior where the filter parameter should strictly control what files can be extracted and where they can be placed within the filesystem hierarchy. The flaw particularly impacts the "data" and "tar" filter modes which are designed to provide enhanced security by restricting file operations beyond the target directory. According to CWE-22, this vulnerability directly relates to improper limitation of a pathname to a restricted directory, commonly known as directory traversal or path traversal attacks, which have been a persistent threat in software security for decades. The issue is particularly concerning because it allows attackers to modify file metadata beyond the intended extraction boundaries, potentially enabling more sophisticated attacks that could compromise system integrity.
The technical implementation of this vulnerability occurs at the core extraction logic within Python's tarfile module where the filtering mechanism fails to properly validate symbolic link targets against the destination directory boundary. When using TarFile.extractall() or TarFile.extract() with filter parameters set to "data" or "tar", the system should enforce strict boundaries that prevent any file operations from escaping the specified extraction directory. However, the flaw allows symlinks to point to locations outside this designated area, effectively bypassing the security controls that were implemented to protect against such attacks. This behavior creates a scenario where an attacker can craft malicious tar archives containing symbolic links that reference files or directories outside the intended extraction target, potentially leading to unauthorized file system modifications. The vulnerability's impact is amplified by the fact that it operates at a fundamental level of archive processing, where the security boundary is supposed to be maintained by the filtering mechanism. The specific nature of this flaw means that even when using what should be secure filter modes, the system fails to properly validate the targets of symbolic links, creating an opening for attackers to manipulate file metadata and potentially execute malicious operations outside the intended scope.
The operational impact of CVE-2025-4330 extends far beyond simple directory traversal, as it fundamentally compromises the trust model that developers rely on when processing untrusted archives. When systems process tar files containing malicious symbolic links, they may inadvertently modify files outside the extraction directory, potentially affecting system integrity, data confidentiality, and overall security posture. This vulnerability particularly affects environments where automated systems process untrusted archives, such as package managers, build systems, or any application that extracts user-provided tar files without proper validation. The risk is heightened in Python 3.14 and later versions where the default filter behavior was changed from "no filtering" to "data", meaning that applications that were previously relying on the less restrictive default behavior are now vulnerable without explicit code changes. Organizations using Python's tarfile module for processing external archives must consider this vulnerability as a critical threat vector, especially in scenarios involving continuous integration pipelines, automated deployment systems, or any environment where untrusted content is processed. The vulnerability also intersects with ATT&CK technique T1059.007, which involves execution through scripting, as the ability to modify file metadata and potentially create malicious symlinks could enable attackers to establish persistence or escalate privileges within affected systems.
Mitigation strategies for CVE-2025-4330 require immediate action from Python developers and system administrators to protect against exploitation of this vulnerability. The most effective immediate mitigation is to upgrade to Python versions that have patched this vulnerability, as the issue is specifically present in Python 3.12 and later versions where the extraction filter feature was introduced. Organizations should also implement defensive programming practices such as explicitly validating the filter parameter and ensuring that all archive extraction operations use the most restrictive filter mode appropriate for their use case. When processing untrusted archives, developers should consider implementing additional validation layers that explicitly check for symbolic links that point outside the intended extraction directory. The use of sandboxing techniques or containerization for archive processing can provide additional isolation when dealing with untrusted content. For systems that cannot immediately upgrade, implementing explicit checks for dangerous symbolic link targets within the extraction process can help detect and prevent exploitation attempts. Additionally, organizations should review their existing codebases to identify any usage of TarFile.extractall() or TarFile.extract() with filter parameters and ensure that these operations are properly secured. The vulnerability also highlights the importance of maintaining awareness of default security behaviors in software libraries, as the change in default filter behavior in Python 3.14 demonstrates how seemingly minor changes can have significant security implications for existing applications that rely on legacy default behaviors.