CVE-2025-8194

Summary

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.10.19affected
Python Software FoundationCPython3.11.0 < 3.11.14affected
Python Software FoundationCPython3.12.0 < 3.12.12affected
Python Software FoundationCPython3.13.0 < 3.13.6affected
Python Software FoundationCPython3.14.0a1 < 3.14.0rc2affected

Weaknesses

  • CWE-835: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References