CVE-2025-8291
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-8291, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-07

Last updated on: 2025-10-29

Assigner: Python Software Foundation

Description

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-07
Last Modified
2025-10-29
Generated
2026-07-06
AI Q&A
2025-10-07
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
python python 3.13.5
python python 3.12.9
python python From 3.13.1 (inc) to 3.13.11 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1285 The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the 'zipfile' module not properly validating the offset value in the ZIP64 End of Central Directory (EOCD) Locator record. Instead of using the offset to locate the ZIP64 EOCD record, the module assumes it is the previous record in the ZIP archive. This behavior can be exploited to create ZIP archives that are processed differently by the 'zipfile' module compared to other ZIP implementations.

Impact Analysis

The vulnerability could lead to inconsistent handling of ZIP archives by the 'zipfile' module versus other ZIP implementations. This may cause unexpected behavior or errors when processing specially crafted ZIP files, potentially leading to information integrity issues or application logic errors.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart