#VU111967 Link following in Python - CVE-2025-4330

Cybersecurity Help s.r.o.

Published: 2025-06-26

Vulnerability identifier: #VU111967

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-4330

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an insecure link following issue when extracting data from an archive in the tarfile module. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files outside the destination directory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: -, 0.9.0 - 2.7.14 rc1, 0.9.1, 0.9.8, 0.9.9, 1.0.1, 1.0.2, 1.1, 1.1.1, 1.2, 1.5, 1.5a1, 1.5a2, 1.5a3, 1.5a4, 1.5b1, 1.5b2, 1.5.1, 1.5.2, 1.5.2c1, 1.5.2a1, 1.5.2a2, 1.5.2b1, 1.5.2b2, 1.6, 1.6a1, 1.6a2, 1.6.1, 2.0, 2.0c1, 2.0b1, 2.0b2, 2.0.1, 2.0.1c1, 2.1, 2.1c1, 2.1c2, 2.1a1, 2.1a2, 2.1b1, 2.1b2, 2.1.1, 2.1.1c1, 2.1.2, 2.1.2c1, 2.1.3, 2.2, 2.2a3, 2.2.0, 2.2.1, 2.2.1c1, 2.2.1c2, 2.2.2, 2.2.2b1, 2.2.3, 2.2.3c1, 2.3, 2.3c1, 2.3c2, 2.3.0, 2.3.1, 2.3.2, 2.3.2c1, 2.3.3, 2.3.3c1, 2.3.4, 2.3.4c1, 2.3.5, 2.3.5c1, 2.3.6, 2.3.6c1, 2.3.7, 2.3.7c1, 2.4, 2.4c1, 2.4a1, 2.4a2, 2.4a3, 2.4b1, 2.4b2, 2.4.0, 2.4.1, 2.4.1c1, 2.4.1c2, 2.4.2, 2.4.2c1, 2.4.3, 2.4.3c1, 2.4.4, 2.4.4c1, 2.7.15, 2.7.15 rc1, 2.7.16, 2.7.16 rc1, 2.7.17, 2.7.17 rc1, 2.7.18, 2.7.18 rc1, 2.7.1150, 2.7.2150, 3.0, 3.0a1, 3.0a2, 3.0a3, 3.0a4, 3.0a5, 3.0b1, 3.0b2, 3.0b3, 3.0 rc1, 3.0 rc2, 3.0 rc3, 3.0.0, 3.0.1, 3.1, 3.1a1, 3.1a2, 3.1b1, 3.1 rc1, 3.1 rc2, 3.1.0, 3.1.1, 3.1.1 rc1, 3.1.2, 3.1.2 rc1, 3.1.3, 3.1.3 rc1, 3.1.4, 3.1.4 rc1, 3.1.5, 3.1.5 rc1, 3.1.5 rc2, 3.1.2150, 3.2, 3.2a1, 3.2a2, 3.2a3, 3.2a4, 3.2b1, 3.2b2, 3.2 rc1, 3.2 rc2, 3.2 rc3, 3.2.0, 3.2.1, 3.2.1b1, 3.2.1 rc1, 3.2.1 rc2, 3.2.2, 3.2.2 rc1, 3.2.3, 3.2.3 rc1, 3.2.3 rc2, 3.2.4, 3.2.4 rc1, 3.2.5, 3.2.6, 3.2.6 rc1, 3.2.2150, 3.3, 3.3.0, 3.3.0a1, 3.3.0a2, 3.3.0a3, 3.3.0a4, 3.3.0b1, 3.3.0b2, 3.3.0 rc1, 3.3.0 rc2, 3.3.0 rc3, 3.3.1, 3.3.1 rc1, 3.3.2, 3.3.3, 3.3.3 rc1, 3.3.3 rc2, 3.3.4, 3.3.4 rc1, 3.3.5, 3.3.5 rc1, 3.3.5 rc2, 3.3.6, 3.3.6 rc1, 3.3.7, 3.3.7 rc1, 3.4, 3.4.0, 3.4.0a1, 3.4.0a2, 3.4.0a3, 3.4.0a4, 3.4.0b1, 3.4.0b2, 3.4.0b3, 3.4.0 rc1, 3.4.0 rc2, 3.4.0 rc3, 3.4.1, 3.4.1 rc1, 3.4.2, 3.4.2 rc1, 3.4.3, 3.4.3 rc1, 3.4.4, 3.4.4 rc1, 3.4.5, 3.4.5 rc1, 3.4.6, 3.4.6 rc1, 3.4.7, 3.4.7 rc1, 3.4.8, 3.4.8 rc1, 3.4.9, 3.4.9 rc1, 3.4.10, 3.4.10 rc1, 3.5, 3.5.0, 3.5.0a1, 3.5.0a2, 3.5.0a3, 3.5.0a4, 3.5.0b1, 3.5.0b2, 3.5.0b3, 3.5.0b4, 3.5.0 rc1, 3.5.0 rc2, 3.5.0 rc3, 3.5.0 rc4, 3.5.1, 3.5.1 rc1, 3.5.2, 3.5.2 rc1, 3.5.3, 3.5.3 rc1, 3.5.4, 3.5.4 rc1, 3.5.5, 3.5.5 rc1, 3.5.6, 3.5.6 rc1, 3.5.7, 3.5.7 rc1, 3.5.8, 3.5.8 rc1, 3.5.8 rc2, 3.5.9, 3.5.10, 3.5.10 rc1, 3.6, 3.6.0, 3.6.0a1, 3.6.0a2, 3.6.0a3, 3.6.0a4, 3.6.0b1, 3.6.0b2, 3.6.0b3, 3.6.0b4, 3.6.0 rc1, 3.6.0 rc2, 3.6.1, 3.6.1 rc1, 3.6.2, 3.6.2 rc1, 3.6.2 rc2, 3.6.3, 3.6.3 rc1, 3.6.4, 3.6.4 rc1, 3.6.5, 3.6.5 rc1, 3.6.6, 3.6.6 rc1, 3.6.7, 3.6.7 rc1, 3.6.7 rc2, 3.6.8, 3.6.8 rc1, 3.6.9, 3.6.9 rc1, 3.6.10, 3.6.10 rc1, 3.6.11, 3.6.11 rc1, 3.6.12, 3.6.13, 3.6.14, 3.6.15, 3.7, 3.7.0, 3.7.0a1, 3.7.0a2, 3.7.0a3, 3.7.0a4, 3.7.0b1, 3.7.0b2, 3.7.0b3, 3.7.0b4, 3.7.0b5, 3.7.0 rc1, 3.7.1, 3.7.1 rc1, 3.7.1 rc2, 3.7.2, 3.7.2 rc1, 3.7.3, 3.7.3 rc1, 3.7.4, 3.7.4 rc1, 3.7.4 rc2, 3.7.5, 3.7.5 rc1, 3.7.6, 3.7.6 rc1, 3.7.7, 3.7.7 rc1, 3.7.8, 3.7.8 rc1, 3.7.9, 3.7.10, 3.7.11, 3.7.12, 3.7.13, 3.7.14, 3.7.15, 3.7.16, 3.7.17, 3.8, 3.8.0, 3.8.0a1, 3.8.0a2, 3.8.0a3, 3.8.0a4, 3.8.0b1, 3.8.0b2, 3.8.0b3, 3.8.0b4, 3.8.0 rc1, 3.8.1, 3.8.1 rc1, 3.8.2, 3.8.2 rc1, 3.8.2 rc2, 3.8.3, 3.8.3 rc1, 3.8.4, 3.8.4 rc1, 3.8.5, 3.8.6, 3.8.6 rc1, 3.8.7, 3.8.7 rc1, 3.8.8, 3.8.8 rc1, 3.8.9, 3.8.10, 3.8.11, 3.8.12, 3.8.13, 3.8.14, 3.8.15, 3.8.16, 3.8.17, 3.8.18, 3.8.19, 3.8.20, 3.9.0, 3.9.0a1, 3.9.0a2, 3.9.0a3, 3.9.0a4, 3.9.0a5, 3.9.0a6, 3.9.0b1, 3.9.0b2, 3.9.0b3, 3.9.0b4, 3.9.0b5, 3.9.0 rc1, 3.9.0 rc2, 3.9.1, 3.9.1 rc1, 3.9.2, 3.9.2 rc1, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.9.11, 3.9.12, 3.9.13, 3.9.14, 3.9.15, 3.9.16, 3.9.17, 3.9.18, 3.9.19, 3.9.20, 3.9.21, 3.9.22, 3.10.0, 3.10.0a1, 3.10.0a2, 3.10.0a3, 3.10.0a4, 3.10.0a5, 3.10.0a6, 3.10.0a7, 3.10.0b1, 3.10.0b2, 3.10.0b3, 3.10.0b4, 3.10.0 rc1, 3.10.0 rc2, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.10.8, 3.10.9, 3.10.10, 3.10.11, 3.10.12, 3.10.13, 3.10.14, 3.10.15, 3.10.16, 3.10.17, 3.11.0, 3.11.0a1, 3.11.0a2, 3.11.0a3, 3.11.0a4, 3.11.0a5, 3.11.0a6, 3.11.0a7, 3.11.0b1, 3.11.0b2, 3.11.0b3, 3.11.0b4, 3.11.0b5, 3.11.0 rc1, 3.11.0 rc2, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.11.8, 3.11.9, 3.11.10, 3.11.11, 3.11.12, 3.12.0, 3.12.0a1, 3.12.0a2, 3.12.0a3, 3.12.0a4, 3.12.0a5, 3.12.0a6, 3.12.0a7, 3.12.0b1, 3.12.0b2, 3.12.0b3, 3.12.0b4, 3.12.0 rc1, 3.12.0 rc2, 3.12.0 rc3, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.13.0, 3.13.0a1, 3.13.0a2, 3.13.0a3, 3.13.0a4, 3.13.0a5, 3.13.0a6, 3.13.0b1, 3.13.0b2, 3.13.0b3, 3.13.0b4, 3.13.0 rc1, 3.13.0 rc2, 3.13.0 rc3, 3.13.1, 3.13.2, 3.13.3, 3.14.0a1, 3.14.0a2, 3.14.0a3, 3.14.0a4, 3.14.0a5, 3.14.0a6, 3.14.0a7, 3.14.0b1, 3.14.0b2, 3.14.0b3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 24.03 LTS SP2 update for python3

openEuler 24.03 LTS update for python3

openEuler 24.03 LTS SP1 update for python3

Red Hat Enterprise Linux 8 update for python3

Red Hat Enterprise Linux 9 update for python3.9

Fedora 42 update for python3.6

Fedora 41 update for python3.6

Anolis OS update for python3

Red Hat Enterprise Linux 9 update for python3.11