Bug 2372426 (CVE-2025-4138)

Summary: CVE-2025-4138 cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: crizzo, dfreiber, drow, jburrell, jmitchel, jtanner, kshier, pbohmill, teagle, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Python tarfile module. This vulnerability allows attackers to bypass extraction filters, enabling symlink targets to escape the destination directory and allowing unauthorized modification of file metadata via the use of TarFile.extract() or TarFile.extractall() with the filter= parameter set to "data" or "tar".
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2429955, 2429956, 2429957, 2429958, 2372448, 2373723, 2373724    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-12 09:04:21 UTC 
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.


You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Comment 6 errata-xmlrpc 2025-06-30 13:38:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9918 https://access.redhat.com/errata/RHSA-2025:9918
Comment 7 errata-xmlrpc 2025-07-01 08:39:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10026 https://access.redhat.com/errata/RHSA-2025:10026
Comment 8 errata-xmlrpc 2025-07-01 08:46:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:10028 https://access.redhat.com/errata/RHSA-2025:10028
Comment 9 errata-xmlrpc 2025-07-01 09:09:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10031 https://access.redhat.com/errata/RHSA-2025:10031
Comment 10 errata-xmlrpc 2025-07-01 19:57:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10128 https://access.redhat.com/errata/RHSA-2025:10128
Comment 11 errata-xmlrpc 2025-07-01 20:48:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10136 https://access.redhat.com/errata/RHSA-2025:10136
Comment 12 errata-xmlrpc 2025-07-01 21:43:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:10140 https://access.redhat.com/errata/RHSA-2025:10140
Comment 13 errata-xmlrpc 2025-07-01 21:55:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10148 https://access.redhat.com/errata/RHSA-2025:10148
Comment 15 errata-xmlrpc 2025-07-02 06:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10189 https://access.redhat.com/errata/RHSA-2025:10189
Comment 17 errata-xmlrpc 2025-07-07 11:15:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:10399 https://access.redhat.com/errata/RHSA-2025:10399
Comment 18 errata-xmlrpc 2025-07-07 16:11:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service
  Red Hat Enterprise Linux 8.6 Extended Update Support EXTENSION

Via RHSA-2025:10484 https://access.redhat.com/errata/RHSA-2025:10484
Comment 19 errata-xmlrpc 2025-07-08 11:10:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service
  Red Hat Enterprise Linux 8.8 Extended Update Support EXTENSION

Via RHSA-2025:10602 https://access.redhat.com/errata/RHSA-2025:10602
Comment 25 errata-xmlrpc 2025-07-17 15:27:04 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2025:11386 https://access.redhat.com/errata/RHSA-2025:11386
Comment 62 errata-xmlrpc 2025-12-18 01:16:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:23530 https://access.redhat.com/errata/RHSA-2025:23530
Comment 63 errata-xmlrpc 2026-01-21 20:21:43 UTC 
This issue has been addressed in the following products:

  RHOSS-1.36-RHEL-8

Via RHSA-2026:0934 https://access.redhat.com/errata/RHSA-2026:0934