PT-2025-23607 · Python+10 · Python+11

Jakub Wilk

+5

·

Published

2025-06-03

·

Updated

2026-05-18

·

CVE-2024-12718

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions
Python versions 3.12 and later
Description
This vulnerability allows modification of file metadata (e.g., last modified) or file permissions of files outside the intended extraction directory when using the tarfile module to extract untrusted tar archives with the filter="data" or filter="tar" options. For Python 3.14 and later, the default value of the filter parameter changed to "data".
Recommendations
Update to a newer version of Python. Specifically, the following package versions address the vulnerability:
  • idle-python3.12 - 3.12.7-1ubuntu2.2
  • libpython3.12-dev - 3.12.7-1ubuntu2.2
  • libpython3.12-minimal - 3.12.7-1ubuntu2.2
  • libpython3.12-stdlib - 3.12.7-1ubuntu2.2
  • libpython3.12-testsuite - 3.12.7-1ubuntu2.2
  • libpython3.12t64 - 3.12.7-1ubuntu2.2
  • python3.12 - 3.12.7-1ubuntu2.2
  • python3.12-dev - 3.12.7-1ubuntu2.2
  • python3.12-doc - 3.12.7-1ubuntu2.2
  • python3.12-examples - 3.12.7-1ubuntu2.2
  • python3.12-full - 3.12.7-1ubuntu2.2
  • python3.12-gdbm - 3.12.7-1ubuntu2.2
  • python3.12-minimal - 3.12.7-1ubuntu2.2
  • python3.12-nopie - 3.12.7-1ubuntu2.2
  • python3.12-tk - 3.12.7-1ubuntu2.2
  • python3.12-venv - 3.12.7-1ubuntu2.2
  • idle-python3.13 - 3.13.0-1ubuntu0.3
  • libpython3.13 - 3.13.0-1ubuntu0.3
  • libpython3.13-dev - 3.13.0-1ubuntu0.3
  • libpython3.13-minimal - 3.13.0-1ubuntu0.3
  • libpython3.13-stdlib - 3.13.0-1ubuntu0.3
  • libpython3.13-testsuite - 3.13.0-1ubuntu0.3
  • python3.13 - 3.13.0-1ubuntu0.3
  • python3.13-dev - 3.13.0-1ubuntu0.3
  • python3.13-doc - 3.13.0-1ubuntu0.3
  • python3.13-examples - 3.13.0-1ubuntu0.3
  • python3.13-full - 3.13.0-1ubuntu0.3
  • python3.13-gdbm - 3.13.0-1ubuntu0.3
  • python3.13-minimal - 3.13.0-1ubuntu0.3
  • python3.13-nopie - 3.13.0-1ubuntu0.3
  • python3.13-tk - 3.13.0-1ubuntu0.3
  • python3.13-venv - 3.13.0-1ubuntu0.3

Exploit

Fix

Path traversal

Weakness Enumeration

CWE-22

Related Identifiers

ALSA-2025:10026
ALSA-2025:10031
ALSA-2025:10128
ALSA-2025:10136
ALSA-2025:10140
ALSA-2025:10148
ALSA-2025:10189
AZL-62258
BDU:2025-12377
BIT-LIBPYTHON-2024-12718
BIT-PYTHON-2024-12718
BIT-PYTHON-MIN-2024-12718
CESA-2025_10026
CESA-2025_10031
CESA-2025_10128
CLEANSTART-2026-CI66802
CLEANSTART-2026-KM27583
CLEANSTART-2026-SP91806
CVE-2024-12718
ECHO-83E1-A1F5-89BA
INFSA-2025_10026
INFSA-2025_10031
INFSA-2025_10128
INFSA-2025_10136
INFSA-2025_10148
INFSA-2025_10189
MGASA-2025-0280
OESA-2025-1789
OESA-2025-1790
OESA-2025-1791
OESA-2025-2304
OESA-2025-2305
OESA-2025-2538
OPENSUSE-SU-2025:15285-1
OPENSUSE-SU-2025:15286-1
OPENSUSE-SU-2025:15287-1
OPENSUSE-SU-2025:15288-1
OPENSUSE-SU-2025:15290-1
PSF-2025-5
RHSA-2025:10026
RHSA-2025:10028
RHSA-2025:10031
RHSA-2025:10128
RHSA-2025:10136
RHSA-2025:10140
RHSA-2025:10148
RHSA-2025:10189
RHSA-2025:10399
RHSA-2025:10484
RHSA-2025:10602
RHSA-2025:9918
RHSA-2025_10026
RHSA-2025_10031
RHSA-2025_10128
RHSA-2025_10136
RHSA-2025_10148
RHSA-2025_10189
SUSE-SU-2025:02047-1
SUSE-SU-2025:02048-1
SUSE-SU-2025:02049-1
SUSE-SU-2025:02050-1
SUSE-SU-2025:02057-1
SUSE-SU-2025:02074-1
SUSE-SU-2025:02297-1
SUSE-SU-2025:02427-1
SUSE-SU-2025:02778-1
SUSE-SU-2025:20492-1
SUSE-SU-2025:20539-1
SUSE-SU-2025_02047-1
SUSE-SU-2025_02049-1
SUSE-SU-2025_02050-1
SUSE-SU-2025_02057-1
SUSE-SU-2025_02297-1
SUSE-SU-2025_02778-1
SUSE-SU-2026:0210-1
USN-7583-1

Affected Products

Almalinux
Centos
Debian
Ibm Aix
Linuxmint
Python
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Tarfile