CVE-2025-13462

LOW EPSS 6.0%

Published Mar 12, 20263mo ago · Modified Jun 17, 20261w ago

2.0 CVSS 4.0

Low

Published Mar 12, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

CVSS Details

Base Score

2.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Local

Attack Complexity High

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

6.0% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 3

CWE-20 Improper Input Validation Validation

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

CWE-74

Affected Products 9

Vendor	Product	Version	Range
python	python	*	<3.13.13
python	python	*	≥3.14.0 – <3.14.4
python	python	3.15.0	any
python	python	3.15.0	any
python	python	3.15.0	any
python	python	3.15.0	any
python	python	3.15.0	any
python	python	3.15.0	any
python	python	3.15.0	any

References 9

github.com https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab

Patch
github.com https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114

Patch
github.com https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017

Patch
github.com https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406

Patch
github.com https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7

Patch
github.com https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084

Patch
github.com https://github.com/python/cpython/issues/141707

Issue Tracking
github.com https://github.com/python/cpython/pull/143934

Issue TrackingPatch
mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/

Mailing ListVendor Advisory

Remediation

github.com https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab

Patch
github.com https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114

Patch
github.com https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017

Patch
github.com https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406

Patch
github.com https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7

Patch
github.com https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084

Patch
github.com https://github.com/python/cpython/pull/143934

Issue TrackingPatch