CVE-2025-13462
Tarfile Module Normalization Flaw Causes Archive Misinterpretation
Publication date: 2026-03-12
Last updated on: 2026-05-01
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | tarfile | * |
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
| python | cpython | 3.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-13462 is a low severity vulnerability in Python's tarfile module caused by incorrect normalization of tar archive entries. Specifically, the module incorrectly applies normalization of AREGTYPE (regular file) blocks to DIRTYPE (directory) entries even when processing multi-block members such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This leads to misinterpretation of specially crafted tar archives compared to other tar implementations."}, {'type': 'paragraph', 'content': 'The issue arises because when handling GNU long name encoding, the tarfile module reads the long name data blocks and then parses the actual header again. During this second parsing, garbage data from the long name section can overwrite the entry type, changing it incorrectly to a directory type. This causes the module to mismanage offsets and silently discard exceptions, resulting in incorrect processing or premature termination of archive reading.'}, {'type': 'paragraph', 'content': 'The vulnerability affects how GNU long name and link types are handled during tar extraction, potentially causing inconsistent or incorrect archive processing. The fix involves skipping the DIRTYPE normalization during the handling of these GNU long name and link types to prevent this misclassification.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause the tarfile module to misinterpret specially crafted tar archives, leading to inconsistent or incorrect extraction of files.
Specifically, the incorrect normalization of file types can cause the module to mismanage offsets and silently discard errors during tar extraction. This may result in premature termination of archive processing or skipping of entries.
Potential security risks include arbitrary file extraction or path traversal attacks if an attacker crafts a malicious tar archive exploiting this flaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Python tarfile module misinterpreting specially crafted tar archives that use GNU long name encoding combined with AREGTYPE blocks. Detection would involve analyzing tar archives for abnormal behavior during extraction, such as unexpected directory type normalization or silent failures when reading tar entries.
There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Python environment to a version that includes the fix for CVE-2025-13462. The fix was merged on March 11, 2026, and backported to Python versions 3.10 through 3.14.
The fix involves skipping the normalization of directory type (DIRTYPE) entries during the processing of GNU long name and link types in the tarfile module, preventing misinterpretation of tar archives.
Until you update, avoid extracting tar archives from untrusted sources that might exploit this vulnerability.