Input validation error in Python - CVE-2025-8291
Published: October 14, 2025
Vulnerability identifier: #VU116971
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-8291
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Python.org
Affected software:
Python
Python
Detailed vulnerability description
The vulnerability allows a remote attacker to extract files into arbitrary locations on the system.
The vulnerability exists due to the zipfile module does not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value when extracting files. A remote attacker can use a specially crafted zip file to extract data into arbitrary locations on the system.
How to mitigate CVE-2025-8291
Install updates from vendor's website.
Sources
- https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267
- https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46
- https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6
- https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196
- https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4
- https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388
- https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3
- https://github.com/python/cpython/issues/139700
- https://github.com/python/cpython/pull/139702
- https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/