CVE-2025-8194
BaseFortify
Publication date: 2025-07-28
Last updated on: 2025-11-04
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | cpython | 3.10 |
| python | cpython | 3.12 |
| python | cpython | 3.14 |
| python | cpython | 3.9 |
| python | cpython | 3.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8194 is a security vulnerability in Python's tarfile module, specifically in the TarFile extraction and entry enumeration APIs. The vulnerability arises because the tarfile implementation processes tar archives containing negative member offsets without raising an error. This flaw allows maliciously crafted tar archives with negative offsets to cause an infinite loop and deadlock during parsing. The issue is due to insufficient validation of tar archive member offsets, which can be negative and lead to errors such as infinite loops or stream errors when parsing the archive. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause denial of service by triggering an infinite loop and deadlock when processing maliciously crafted tar archives with negative offsets. This can halt or freeze applications that use the tarfile module to extract or enumerate tar archives, potentially disrupting services or workflows that rely on tar file processing. Additionally, it can lead to errors like tarfile.StreamError due to corrupted metadata parsing, which may affect the stability and reliability of software using this module. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for tarfile extraction processes that hang or deadlock when processing tar archives, especially those that might be maliciously crafted with negative offsets. There is no specific command-line tool or signature provided in the resources to detect this automatically. However, you can test Python scripts that use the tarfile module by attempting to extract suspicious tar archives and observing if the process enters an infinite loop or deadlock. Additionally, reviewing logs for errors related to tarfile processing or unusual CPU usage during tar extraction may help identify exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, apply the provided patch after importing the tarfile module in your Python code. The patch overrides the internal _block method of tarfile.TarInfo to raise an InvalidHeaderError if a negative offset is detected, preventing infinite loops and deadlocks. The patch code is: import tarfile def _block_patched(self, count): if count < 0: # pragma: no cover raise tarfile.InvalidHeaderError("invalid offset") return _block_patched._orig_block(self, count) _block_patched._orig_block = tarfile.TarInfo._block tarfile.TarInfo._block = _block_patched Additionally, ensure your Python environment is updated with the official fix merged in July 2025, which has been backported to Python versions 3.9 through 3.14. [1, 3]