CVE-2025-13462

LOW EPSS 6.0%
Published Mar 12, 20263mo ago · Modified Jun 17, 20261w ago
2.0 CVSS 4.0
Low
Find Similar
Published Mar 12, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

CVSS Details

Base Score
2.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
6.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 3

CWE-20 Improper Input Validation Validation
CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt
CWE-74

Affected Products 9

VendorProductVersionRange
pythonpython* <3.13.13
pythonpython*≥3.14.0  –  <3.14.4
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any
pythonpython3.15.0any

References 9

  • github.com https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab
    Patch
  • github.com https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114
    Patch
  • github.com https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
    Patch
  • github.com https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406
    Patch
  • github.com https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
    Patch
  • github.com https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
    Patch
  • github.com https://github.com/python/cpython/issues/141707
    Issue Tracking
  • github.com https://github.com/python/cpython/pull/143934
    Issue TrackingPatch
  • mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
    Mailing ListVendor Advisory

Remediation

  • github.com https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab
    Patch
  • github.com https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114
    Patch
  • github.com https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
    Patch
  • github.com https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406
    Patch
  • github.com https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
    Patch
  • github.com https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
    Patch
  • github.com https://github.com/python/cpython/pull/143934
    Issue TrackingPatch