CVE-2025-4435

Description

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

How to fix CVE-2025-4435

To remediate CVE-2025-4435, upgrade the affected package to a fixed version below.

• —upgrade to 3.9.23 or later
• —upgrade to 3.9.23 or later
• —upgrade to 3.9.23 or later
• —no fix listed
• —upgrade to 3.13.4-1 or later

Is CVE-2025-4435 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
• from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
• from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
• from 0
• from 0, < 3.13.4-1

CVSS scores

References (13)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-4435
• WEBgithub.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
• WEBgithub.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9
• WEBgithub.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a