2402342 – (CVE-2025-8291) CVE-2025-8291 cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked

Bug 2402342 (CVE-2025-8291) - CVE-2025-8291 cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked

Summary: CVE-2025-8291 cpython: python: Python zipfile End of Central Directory (EOCD)...

Keywords:
Status:	NEW
Alias:	CVE-2025-8291
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2402857 2402858 2402859 2402860 2402861 2402862 2402863 2402864 2402865 2402866 2402867 2402868 2402869 2402870 2402871 2402872 2402873 2402874 2402875 2402876 2402877
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-07 19:01 UTC by OSIDB Bzimport
Modified:	2025-10-09 18:13 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-07 19:01:48 UTC

The 'zipfile' module would not check the validity of the ZIP64 End of
Central Directory (EOCD) Locator record offset value would not be used to
locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be
assumed to be the previous record in the ZIP archive. This could be abused
to create ZIP archives that are handled differently by the 'zipfile' module
compared to other ZIP implementations.


Remediation maintains this behavior, but checks that the offset specified
in the ZIP64 EOCD Locator record matches the expected value.

Note You need to log in before you can comment on or make changes to this bug.