
CVE-2024-12718 – Bypass extraction filter to modify file metadata outside extraction directory
https://notcve.org/view.php?id=CVE-2024-12718
03 Jun 2025 — Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more inform... • https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4435 – Tarfile extracts filtered members when errorlevel=0
https://notcve.org/view.php?id=CVE-2025-4435
03 Jun 2025 — When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped. A flaw was found in CPython's tarfile module. This vulnerability allows unauthorized file extraction via crafted tar archives when TarFile.errorlevel=0, bypassing expected filtering mechanisms. When using a TarFile.errorle... • https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da • CWE-682: Incorrect Calculation CWE-706: Use of Incorrectly-Resolved Name or Reference •

CVE-2025-4138 – Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
https://notcve.org/view.php?id=CVE-2025-4138
03 Jun 2025 — Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. O... • https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4330 – Extraction filter bypass for linking outside extraction directory
https://notcve.org/view.php?id=CVE-2025-4330
03 Jun 2025 — Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. O... • https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4517 – Arbitrary writes via tarfile realpath overflow
https://notcve.org/view.php?id=CVE-2025-4517
03 Jun 2025 — Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by t... • https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4516 – Use-after-free in "unicode_escape" decoder with error handler
https://notcve.org/view.php?id=CVE-2025-4516
15 May 2025 — There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError. It was discovered that Python incorrectly handled certain unicode characters during decoding. An attacker could possibly use this issue to cause a denial of service. • https://github.com/python/cpython/commit/69b4387f78f413e8c47572a85b3478c47eba8142 • CWE-416: Use After Free •

CVE-2024-3220 – Default mimetype known files writeable on Windows
https://notcve.org/view.php?id=CVE-2024-3220
14 Feb 2025 — There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”). To wor... • https://mail.python.org/archives/list/security-announce@python.org/thread/CDXW34ND2LSAOYAR5N6UNONP4ZBX4D6R • CWE-426: Untrusted Search Path •

CVE-2025-0938 – URL parser allowed square brackets in domain names
https://notcve.org/view.php?id=CVE-2025-0938
31 Jan 2025 — The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. A flaw was found in Python. The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accept domain ... • https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a • CWE-20: Improper Input Validation •

CVE-2024-12254 – Unbounded memory buffering in SelectorSocketTransport.writelines()
https://notcve.org/view.php?id=CVE-2024-12254
06 Dec 2024 — Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .wri... • https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2024-9287 – Virtual environment (venv) activation scripts don't quote paths
https://notcve.org/view.php?id=CVE-2024-9287
22 Oct 2024 — A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./ven... • https://github.com/python/cpython/issues/124651 • CWE-428: Unquoted Search Path or Element •