#VU116971 Input validation error in Python - CVE-2025-8291
Published: October 14, 2025
Vulnerability identifier: #VU116971
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-8291
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Python
Python
Software vendor:
Python.org
Python.org
Description
The vulnerability allows a remote attacker to extract files into arbitrary locations on the system.
The vulnerability exists due to the zipfile module does not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value when extracting files. A remote attacker can use a specially crafted zip file to extract data into arbitrary locations on the system.
Remediation
Install updates from vendor's website.
External links
- https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267
- https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46
- https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6
- https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196
- https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4
- https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388
- https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3
- https://github.com/python/cpython/issues/139700
- https://github.com/python/cpython/pull/139702
- https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/