#VU111966 Path traversal in Python - CVE-2025-4517

Cybersecurity Help s.r.o.

Published: 2025-06-26

Vulnerability identifier: #VU111966

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-4517

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error in the tarfile module when extracting files from an archive with filter="data". A remote attacker can pass specially crafted archive to the application and write files to arbitrary locations on the system outside the extraction directory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: -, 0.9.0 - 2.7.14 rc1, 0.9.1, 0.9.8, 0.9.9, 1.0.1, 1.0.2, 1.1, 1.1.1, 1.2, 1.5, 1.5a1, 1.5a2, 1.5a3, 1.5a4, 1.5b1, 1.5b2, 1.5.1, 1.5.2, 1.5.2c1, 1.5.2a1, 1.5.2a2, 1.5.2b1, 1.5.2b2, 1.6, 1.6a1, 1.6a2, 1.6.1, 2.0, 2.0c1, 2.0b1, 2.0b2, 2.0.1, 2.0.1c1, 2.1, 2.1c1, 2.1c2, 2.1a1, 2.1a2, 2.1b1, 2.1b2, 2.1.1, 2.1.1c1, 2.1.2, 2.1.2c1, 2.1.3, 2.2, 2.2a3, 2.2.0, 2.2.1, 2.2.1c1, 2.2.1c2, 2.2.2, 2.2.2b1, 2.2.3, 2.2.3c1, 2.3, 2.3c1, 2.3c2, 2.3.0, 2.3.1, 2.3.2, 2.3.2c1, 2.3.3, 2.3.3c1, 2.3.4, 2.3.4c1, 2.3.5, 2.3.5c1, 2.3.6, 2.3.6c1, 2.3.7, 2.3.7c1, 2.4, 2.4c1, 2.4a1, 2.4a2, 2.4a3, 2.4b1, 2.4b2, 2.4.0, 2.4.1, 2.4.1c1, 2.4.1c2, 2.4.2, 2.4.2c1, 2.4.3, 2.4.3c1, 2.4.4, 2.4.4c1, 2.7.15, 2.7.15 rc1, 2.7.16, 2.7.16 rc1, 2.7.17, 2.7.17 rc1, 2.7.18, 2.7.18 rc1, 2.7.1150, 2.7.2150, 3.0, 3.0a1, 3.0a2, 3.0a3, 3.0a4, 3.0a5, 3.0b1, 3.0b2, 3.0b3, 3.0 rc1, 3.0 rc2, 3.0 rc3, 3.0.0, 3.0.1, 3.1, 3.1a1, 3.1a2, 3.1b1, 3.1 rc1, 3.1 rc2, 3.1.0, 3.1.1, 3.1.1 rc1, 3.1.2, 3.1.2 rc1, 3.1.3, 3.1.3 rc1, 3.1.4, 3.1.4 rc1, 3.1.5, 3.1.5 rc1, 3.1.5 rc2, 3.1.2150, 3.2, 3.2a1, 3.2a2, 3.2a3, 3.2a4, 3.2b1, 3.2b2, 3.2 rc1, 3.2 rc2, 3.2 rc3, 3.2.0, 3.2.1, 3.2.1b1, 3.2.1 rc1, 3.2.1 rc2, 3.2.2, 3.2.2 rc1, 3.2.3, 3.2.3 rc1, 3.2.3 rc2, 3.2.4, 3.2.4 rc1, 3.2.5, 3.2.6, 3.2.6 rc1, 3.2.2150, 3.3, 3.3.0, 3.3.0a1, 3.3.0a2, 3.3.0a3, 3.3.0a4, 3.3.0b1, 3.3.0b2, 3.3.0 rc1, 3.3.0 rc2, 3.3.0 rc3, 3.3.1, 3.3.1 rc1, 3.3.2, 3.3.3, 3.3.3 rc1, 3.3.3 rc2, 3.3.4, 3.3.4 rc1, 3.3.5, 3.3.5 rc1, 3.3.5 rc2, 3.3.6, 3.3.6 rc1, 3.3.7, 3.3.7 rc1, 3.4, 3.4.0, 3.4.0a1, 3.4.0a2, 3.4.0a3, 3.4.0a4, 3.4.0b1, 3.4.0b2, 3.4.0b3, 3.4.0 rc1, 3.4.0 rc2, 3.4.0 rc3, 3.4.1, 3.4.1 rc1, 3.4.2, 3.4.2 rc1, 3.4.3, 3.4.3 rc1, 3.4.4, 3.4.4 rc1, 3.4.5, 3.4.5 rc1, 3.4.6, 3.4.6 rc1, 3.4.7, 3.4.7 rc1, 3.4.8, 3.4.8 rc1, 3.4.9, 3.4.9 rc1, 3.4.10, 3.4.10 rc1, 3.5, 3.5.0, 3.5.0a1, 3.5.0a2, 3.5.0a3, 3.5.0a4, 3.5.0b1, 3.5.0b2, 3.5.0b3, 3.5.0b4, 3.5.0 rc1, 3.5.0 rc2, 3.5.0 rc3, 3.5.0 rc4, 3.5.1, 3.5.1 rc1, 3.5.2, 3.5.2 rc1, 3.5.3, 3.5.3 rc1, 3.5.4, 3.5.4 rc1, 3.5.5, 3.5.5 rc1, 3.5.6, 3.5.6 rc1, 3.5.7, 3.5.7 rc1, 3.5.8, 3.5.8 rc1, 3.5.8 rc2, 3.5.9, 3.5.10, 3.5.10 rc1, 3.6, 3.6.0, 3.6.0a1, 3.6.0a2, 3.6.0a3, 3.6.0a4, 3.6.0b1, 3.6.0b2, 3.6.0b3, 3.6.0b4, 3.6.0 rc1, 3.6.0 rc2, 3.6.1, 3.6.1 rc1, 3.6.2, 3.6.2 rc1, 3.6.2 rc2, 3.6.3, 3.6.3 rc1, 3.6.4, 3.6.4 rc1, 3.6.5, 3.6.5 rc1, 3.6.6, 3.6.6 rc1, 3.6.7, 3.6.7 rc1, 3.6.7 rc2, 3.6.8, 3.6.8 rc1, 3.6.9, 3.6.9 rc1, 3.6.10, 3.6.10 rc1, 3.6.11, 3.6.11 rc1, 3.6.12, 3.6.13, 3.6.14, 3.6.15, 3.7, 3.7.0, 3.7.0a1, 3.7.0a2, 3.7.0a3, 3.7.0a4, 3.7.0b1, 3.7.0b2, 3.7.0b3, 3.7.0b4, 3.7.0b5, 3.7.0 rc1, 3.7.1, 3.7.1 rc1, 3.7.1 rc2, 3.7.2, 3.7.2 rc1, 3.7.3, 3.7.3 rc1, 3.7.4, 3.7.4 rc1, 3.7.4 rc2, 3.7.5, 3.7.5 rc1, 3.7.6, 3.7.6 rc1, 3.7.7, 3.7.7 rc1, 3.7.8, 3.7.8 rc1, 3.7.9, 3.7.10, 3.7.11, 3.7.12, 3.7.13, 3.7.14, 3.7.15, 3.7.16, 3.7.17, 3.8, 3.8.0, 3.8.0a1, 3.8.0a2, 3.8.0a3, 3.8.0a4, 3.8.0b1, 3.8.0b2, 3.8.0b3, 3.8.0b4, 3.8.0 rc1, 3.8.1, 3.8.1 rc1, 3.8.2, 3.8.2 rc1, 3.8.2 rc2, 3.8.3, 3.8.3 rc1, 3.8.4, 3.8.4 rc1, 3.8.5, 3.8.6, 3.8.6 rc1, 3.8.7, 3.8.7 rc1, 3.8.8, 3.8.8 rc1, 3.8.9, 3.8.10, 3.8.11, 3.8.12, 3.8.13, 3.8.14, 3.8.15, 3.8.16, 3.8.17, 3.8.18, 3.8.19, 3.8.20, 3.9.0, 3.9.0a1, 3.9.0a2, 3.9.0a3, 3.9.0a4, 3.9.0a5, 3.9.0a6, 3.9.0b1, 3.9.0b2, 3.9.0b3, 3.9.0b4, 3.9.0b5, 3.9.0 rc1, 3.9.0 rc2, 3.9.1, 3.9.1 rc1, 3.9.2, 3.9.2 rc1, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.9.11, 3.9.12, 3.9.13, 3.9.14, 3.9.15, 3.9.16, 3.9.17, 3.9.18, 3.9.19, 3.9.20, 3.9.21, 3.9.22, 3.10.0, 3.10.0a1, 3.10.0a2, 3.10.0a3, 3.10.0a4, 3.10.0a5, 3.10.0a6, 3.10.0a7, 3.10.0b1, 3.10.0b2, 3.10.0b3, 3.10.0b4, 3.10.0 rc1, 3.10.0 rc2, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.10.8, 3.10.9, 3.10.10, 3.10.11, 3.10.12, 3.10.13, 3.10.14, 3.10.15, 3.10.16, 3.10.17, 3.11.0, 3.11.0a1, 3.11.0a2, 3.11.0a3, 3.11.0a4, 3.11.0a5, 3.11.0a6, 3.11.0a7, 3.11.0b1, 3.11.0b2, 3.11.0b3, 3.11.0b4, 3.11.0b5, 3.11.0 rc1, 3.11.0 rc2, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.11.8, 3.11.9, 3.11.10, 3.11.11, 3.11.12, 3.12.0, 3.12.0a1, 3.12.0a2, 3.12.0a3, 3.12.0a4, 3.12.0a5, 3.12.0a6, 3.12.0a7, 3.12.0b1, 3.12.0b2, 3.12.0b3, 3.12.0b4, 3.12.0 rc1, 3.12.0 rc2, 3.12.0 rc3, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.13.0, 3.13.0a1, 3.13.0a2, 3.13.0a3, 3.13.0a4, 3.13.0a5, 3.13.0a6, 3.13.0b1, 3.13.0b2, 3.13.0b3, 3.13.0b4, 3.13.0 rc1, 3.13.0 rc2, 3.13.0 rc3, 3.13.1, 3.13.2, 3.13.3, 3.14.0a1, 3.14.0a2, 3.14.0a3, 3.14.0a4, 3.14.0a5, 3.14.0a6, 3.14.0a7, 3.14.0b1, 3.14.0b2, 3.14.0b3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 24.03 LTS SP2 update for python3

openEuler 24.03 LTS update for python3

openEuler 24.03 LTS SP1 update for python3

Red Hat Enterprise Linux 8 update for python3

Red Hat Enterprise Linux 9 update for python3.9

Fedora 42 update for python3.6

Fedora 41 update for python3.6

Anolis OS update for python3

Red Hat Enterprise Linux 9 update for python3.11