Action not permitted
Modal body text goes here.
Modal Title
Modal Body
usn-7583-1
Vulnerability from osv_ubuntu
It was discovered that Python incorrectly handled tar archive extraction with the filtering option. An attacker could possibly use this issue to modify files in arbitrary filesystem locations and cause data loss.
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2024-12718",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-4138",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-4330",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-4435",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-4517",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.7?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6"
]
}
],
"aliases": [],
"details": "It was discovered that Python incorrectly handled tar archive extraction\nwith the filtering option. An attacker could possibly use this issue to\nmodify files in arbitrary filesystem locations and cause data loss.",
"id": "USN-7583-1",
"modified": "2026-04-22T07:37:21Z",
"published": "2025-06-19T12:22:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7583-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-12718"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4138"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4330"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4435"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4517"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "python3.13, python3.12 vulnerabilities",
"upstream": [
"UBUNTU-CVE-2024-12718",
"UBUNTU-CVE-2025-4138",
"UBUNTU-CVE-2025-4330",
"UBUNTU-CVE-2025-4435",
"UBUNTU-CVE-2025-4517"
]
}
ubuntu-cve-2024-12718
Vulnerability from osv_ubuntu
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
| URL | Type | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.7?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-stdlib",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-testsuite",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-examples",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-full",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-gdbm",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-nopie",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-tk",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-venv",
"binary_version": "3.14.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.14",
"purl": "pkg:deb/ubuntu/python3.14@3.14.0-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0-1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.14.0~a7-0ubuntu1",
"3.14.0~b1-1",
"3.14.0~b3-1",
"3.14.0~rc1-1",
"3.14.0~rc2-1",
"3.14.0~rc3-1"
]
}
],
"aliases": [],
"details": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\"\u00a0or file permissions (chmod) with filter=\"tar\"\u00a0of files outside the extraction directory. You are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don\u0027t include the extraction filter feature. Note that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"id": "UBUNTU-CVE-2024-12718",
"modified": "2026-04-22T07:47:57Z",
"published": "2025-06-03T13:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-12718"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12718"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"type": "REPORT",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
},
{
"type": "REPORT",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/127987"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/98016f7c92aa4c1232c68bac1ed6646db31782ec"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7583-1"
}
],
"related": [
"USN-7583-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2024-12718"
]
}
ubuntu-cve-2025-4138
Vulnerability from osv_ubuntu
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.7?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-stdlib",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-testsuite",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-examples",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-full",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-gdbm",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-nopie",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-tk",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-venv",
"binary_version": "3.14.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.14",
"purl": "pkg:deb/ubuntu/python3.14@3.14.0-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0-1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.14.0~a7-0ubuntu1",
"3.14.0~b1-1",
"3.14.0~b3-1",
"3.14.0~rc1-1",
"3.14.0~rc2-1",
"3.14.0~rc3-1"
]
}
],
"aliases": [],
"details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Note that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"id": "UBUNTU-CVE-2025-4138",
"modified": "2026-04-22T07:53:18Z",
"published": "2025-06-03T13:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4138"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4138"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"type": "REPORT",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
},
{
"type": "REPORT",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/98016f7c92aa4c1232c68bac1ed6646db31782ec"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7583-1"
}
],
"related": [
"USN-7583-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2025-4138"
]
}
ubuntu-cve-2025-4330
Vulnerability from osv_ubuntu
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.7?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-stdlib",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-testsuite",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-examples",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-full",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-gdbm",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-nopie",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-tk",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-venv",
"binary_version": "3.14.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.14",
"purl": "pkg:deb/ubuntu/python3.14@3.14.0-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0-1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.14.0~a7-0ubuntu1",
"3.14.0~b1-1",
"3.14.0~b3-1",
"3.14.0~rc1-1",
"3.14.0~rc2-1",
"3.14.0~rc3-1"
]
}
],
"aliases": [],
"details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Note that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"id": "UBUNTU-CVE-2025-4330",
"modified": "2026-04-22T07:53:18Z",
"published": "2025-06-03T13:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4330"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4330"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"type": "REPORT",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
},
{
"type": "REPORT",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/98016f7c92aa4c1232c68bac1ed6646db31782ec"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7583-1"
}
],
"related": [
"USN-7583-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2025-4330"
]
}
ubuntu-cve-2025-4435
Vulnerability from osv_ubuntu
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.
| URL | Type | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.7?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-stdlib",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-testsuite",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-examples",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-full",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-gdbm",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-nopie",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-tk",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-venv",
"binary_version": "3.14.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.14",
"purl": "pkg:deb/ubuntu/python3.14@3.14.0-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0-1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.14.0~a7-0ubuntu1",
"3.14.0~b1-1",
"3.14.0~b3-1",
"3.14.0~rc1-1",
"3.14.0~rc2-1",
"3.14.0~rc3-1"
]
}
],
"aliases": [],
"details": "When using a TarFile.errorlevel = 0\u00a0and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0\u00a0in affected versions is that the member would still be extracted and not skipped.",
"id": "UBUNTU-CVE-2025-4435",
"modified": "2026-04-22T07:53:18Z",
"published": "2025-06-03T13:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4435"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4435"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"type": "REPORT",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/98016f7c92aa4c1232c68bac1ed6646db31782ec"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7583-1"
}
],
"related": [
"USN-7583-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2025-4435"
]
}
ubuntu-cve-2025-4517
Vulnerability from osv_ubuntu
Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.7"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.7?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-stdlib",
"binary_version": "3.14.0-1"
},
{
"binary_name": "libpython3.14-testsuite",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-examples",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-full",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-gdbm",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-minimal",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-nopie",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-tk",
"binary_version": "3.14.0-1"
},
{
"binary_name": "python3.14-venv",
"binary_version": "3.14.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.14",
"purl": "pkg:deb/ubuntu/python3.14@3.14.0-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0-1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.14.0~a7-0ubuntu1",
"3.14.0~b1-1",
"3.14.0~b3-1",
"3.14.0~rc1-1",
"3.14.0~rc2-1",
"3.14.0~rc3-1"
]
}
],
"aliases": [],
"details": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\". You are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Note that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"id": "UBUNTU-CVE-2025-4517",
"modified": "2026-04-22T07:53:18Z",
"published": "2025-06-03T13:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-4517"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4517"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"type": "REPORT",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
},
{
"type": "REPORT",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/commit/98016f7c92aa4c1232c68bac1ed6646db31782ec"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7583-1"
}
],
"related": [
"USN-7583-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2025-4517"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.