CVE-2025-8291
BaseFortify
Publication date: 2025-10-07
Last updated on: 2025-10-29
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | python | 3.13.5 |
| python | python | 3.12.9 |
| python | python | From 3.13.1 (inc) to 3.13.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1285 | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the 'zipfile' module not properly validating the offset value in the ZIP64 End of Central Directory (EOCD) Locator record. Instead of using the offset to locate the ZIP64 EOCD record, the module assumes it is the previous record in the ZIP archive. This behavior can be exploited to create ZIP archives that are processed differently by the 'zipfile' module compared to other ZIP implementations.
How can this vulnerability impact me? :
The vulnerability could lead to inconsistent handling of ZIP archives by the 'zipfile' module versus other ZIP implementations. This may cause unexpected behavior or errors when processing specially crafted ZIP files, potentially leading to information integrity issues or application logic errors.