CVE-2025-4330

Name of the Vulnerable Software and Affected Versions Python versions 3.12 and later

Description The issue allows the extraction filter to be ignored, enabling symlink targets to point outside the destination directory and the modification of some file metadata. This affects users who utilize the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar". For Python 3.14 and later, the default filter value changed to "data", which also affects usage relying on this new default behavior. The installation of source distributions, which are tar archives, is not significantly affected as they already allow arbitrary code execution during the build process.

Recommendations For Python versions 3.12 and later, consider updating to a version where this issue is fixed, although the specific fixed version is not provided. As a temporary workaround, avoid using the filter parameter with values of "data" or "tar" when extracting untrusted tar archives with TarFile.extractall() or TarFile.extract() until a patch is available. Restrict access to untrusted tar archives to minimize the risk of exploitation.