CVE-2025-8194
Tarfile infinite loop during parsing with negative member offset
7.5
HIGH
CVSS 3.1
EPSS 1.0%
Description
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
How to fix CVE-2025-8194
To remediate CVE-2025-8194, upgrade the affected package to a fixed version below.
- —upgrade to 3.9.24 or later
- —upgrade to 3.9.24 or later
- —upgrade to 3.9.24 or later
- —no fix listed
- —no fix listed
- —upgrade to 3.11.2-6+deb12u7 or later
- —upgrade to 3.13.5-2+deb13u1 or later
- —upgrade to 3.9.2-1+deb11u4 or later
Is CVE-2025-8194 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (8)
- from 0, < 3.9.24, >= 3.10.0, < 3.10.19, >= 3.11.0, < 3.11.14, >= 3.12.0, < 3.12.12, >= 3.13.0, < 3.13.6
- from 0, < 3.9.24, >= 3.10.0, < 3.10.19, >= 3.11.0, < 3.11.14, >= 3.12.0, < 3.12.12, >= 3.13.0, < 3.13.6
- from 0, < 3.9.24, >= 3.10.0, < 3.10.19, >= 3.11.0, < 3.11.14, >= 3.12.0, < 3.12.12, >= 3.13.0, < 3.13.6
- from 0
- from 0
- from 0, < 3.11.2-6+deb12u7
- from 0, < 3.13.5-2+deb13u1
- from 0, < 3.9.2-1+deb11u4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |