CVE-2025-13462
9.8 CRITICALThe "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member suc...
Published: 2026-03-12 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-20, CWE-434, CWE-74
Affected products
| Vendor | Product |
|---|---|
| python | python |
Description
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-13462
- [Patch]https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab
- [Patch]https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114
- [Patch]https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
- [Patch]https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406
- [Patch]https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
- [Patch]https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
- [Other]https://github.com/python/cpython/issues/141707
- [Patch]https://github.com/python/cpython/pull/143934
- [Vendor advisory]https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
Related CVEs
Same vendor
- CVE-2026-7210 — `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML d... (9.8 CRITICAL)
- CVE-2026-3087 — If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be... (7.5 HIGH)
- CVE-2026-6019 — http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context (6.1 MEDIUM)
- CVE-2026-4224 — When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content mo... (7.5 HIGH)
- CVE-2026-3644 — The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete (7.5 HIGH)
Same CWE
- CVE-2026-49218 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2024-21944 — Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a ... (5.3 MEDIUM)
- CVE-2026-48110 — Russh is a Rust SSH client & server library (7.5 HIGH)
- CVE-2026-48108 — Russh is a Rust SSH client & server library (5.3 MEDIUM)
- CVE-2026-48107 — Russh is a Rust SSH client & server library (6.5 MEDIUM)