CVE-2025-8194

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions CPython versions (affected versions not specified)

Description A defect exists in the CPython “tarfile” module, impacting the “TarFile” extraction and entry enumeration APIs. The tar implementation processes tar archives with negative offsets without error, leading to an infinite loop and deadlock when parsing maliciously crafted tar archives.

Recommendations Include the following patch after importing the “tarfile” module:

import tarfile

def block patched(self, count):
 if count < 0: # pragma: no cover
  raise tarfile.InvalidHeaderError("invalid offset")
 return block patched. orig block(self, count)

 block patched. orig block = tarfile.TarInfo. block
tarfile.TarInfo. block = block patched

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

ALSA-2025:14546

ALSA-2025:14560

ALSA-2025:14841

ALSA-2025:14900

ALSA-2025:14984

ALSA-2025:15007

ALSA-2025:15010

ALSA-2025:15019

AZL-65984

AZL-65987

BDU:2025-09687

BIT-LIBPYTHON-2025-8194

BIT-PYTHON-2025-8194

BIT-PYTHON-MIN-2025-8194

CESA-2025_14546

CESA-2025_14560

CESA-2025_14841

CESA-2025_14900

CVE-2025-8194

ECHO-053D-4507-0279

INFSA-2025_14546

INFSA-2025_14560

INFSA-2025_14841

INFSA-2025_14900

INFSA-2025_15007

INFSA-2025_15010

INFSA-2025_15019

MGASA-2025-0280

OESA-2025-2100

OESA-2025-2101

OESA-2025-2102

OESA-2025-2103

OESA-2025-2290

OPENSUSE-SU-2025:15402-1

OPENSUSE-SU-2025:15403-1

OPENSUSE-SU-2025:15404-1

OPENSUSE-SU-2025:15407-1

OPENSUSE-SU-2025:15408-1

OPENSUSE-SU-2025:15409-1

OPENSUSE-SU-2025:15713-1

OPENSUSE-SU-2026:20081-1

PSF-2025-11

RHSA-2025:14546

RHSA-2025:14560

RHSA-2025:14841

RHSA-2025:14984

RHSA-2025:15007

RHSA-2025:15010

RHSA-2025:15019

RHSA-2025:15348

RHSA-2025:15724

RHSA-2025:15800

RHSA-2025:15968

RHSA-2025:16012

RHSA-2025:16016

RHSA-2025:16031

RHSA-2025:16062

RHSA-2025:16078

RHSA-2025:16117

RHSA-2025:16118

RHSA-2025:16151

RHSA-2025:16152

RHSA-2025:16153

RHSA-2025:16262

RHSA-2025_14546

RHSA-2025_14560

RHSA-2025_14841

RHSA-2025_14900

RHSA-2025_15007

RHSA-2025_15010

RHSA-2025_15019

SUSE-SU-2025:02700-1

SUSE-SU-2025:02701-1

SUSE-SU-2025:02717-1

SUSE-SU-2025:02767-1

SUSE-SU-2025:02778-1

SUSE-SU-2025:02787-1

SUSE-SU-2025:02802-1

SUSE-SU-2025:02948-1

SUSE-SU-2025:02982-1

SUSE-SU-2025:02983-1

SUSE-SU-2025:02984-1

SUSE-SU-2025:03032-1

SUSE-SU-2025:20631-1

SUSE-SU-2025:20749-1

SUSE-SU-2025:3706-1

SUSE-SU-2025_02717-1

SUSE-SU-2025_02778-1

SUSE-SU-2025_02802-1

SUSE-SU-2025_02983-1

SUSE-SU-2025_02984-1

SUSE-SU-2025_03032-1

SUSE-SU-2026:20125-1

SUSE-SU-2026:20154-1

USN-7710-1

USN-7710-2

Affected Products

Almalinux

Cpython

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Tarfile

CVE-2025-8194

Weakness Enumeration

Related Identifiers

Affected Products

References · 252