CVE-2025-13462

tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

Severity Score

2.0

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

El módulo 'tarfile' seguiría aplicando la normalización de bloques AREGTYPE (\x00) a DIRTYPE, incluso al procesar un miembro de múltiples bloques como GNUTYPE_LONGNAME o GNUTYPE_LONGLINK. Esto podría resultar en un archivo tar manipulado siendo malinterpretado por el módulo tarfile en comparación con otras implementaciones.

*Credits: N/A

CVSS Scores

Python SFv4 2.0

Attack Vector

Local

Attack Complexity

High

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

Low

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-11-19 CVE Reserved
2026-03-12 CVE Published
2026-05-01 CVE Updated
2026-05-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (8)

URL	Tag	Source
https://github.com/python/cpython/issues/141707	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab	2026-03-13
https://github.com/python/cpython/pull/143934	2026-03-13
https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017	2026-05-01
https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7	2026-05-01
https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114	2026-05-01
https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406	2026-05-01

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE	2026-03-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				< 3.13.13 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.13.13"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.14.0 < 3.14.4 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.14.0 < 3.14.4"		en		Affected