CVE-2025-13462

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Database specific

{
    "cna_assigner": "PSF",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/13xxx/CVE-2025-13462.json"
}

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type

GIT

Repo

https://github.com/python/cpython

Events

Introduced

Fixed

01104ce1beb3135c2e0c01ec835b994c1f55a1c0

Introduced

ebf955df7a89ed0c7968f79faec1de49f61ed7cb

Fixed

23116f998f6789d8c2fbe5ed5b8146854c8c2a4f

Fixed

42d754e34c06e57ad6b8e7f92f32af679912d8ab

Fixed

72dde1016493c52abe857fc4a7bf6c40138b4114

Fixed

7ad3093d76a748af55bdb1d2e8aad3638163b017

Fixed

9a23b753552afa28e3a2f4d8863572fc66479406

Fixed

ae99fe3a33b43e303a05f012815cef60b611a9c7

Fixed

d10950739a78f54d0718d88fb5a868374603c084

Database specific

{
    "cpe": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.13.13"
        },
        {
            "introduced": "3.14.0"
        },
        {
            "fixed": "3.14.4"
        }
    ]
}

Affected versions

v0.*

v0.9.8

v0.9.9

v1.*

v1.0.1

v1.0.2

v1.1

v1.1.1

v1.2

v1.2b1

v1.2b2

v1.2b3

v1.2b4

v1.3

v1.3b1

v1.4

v1.4b1

v1.4b2

v1.4b3

v1.5

v1.5.1

v1.5.2

v1.5.2a1

v1.5.2a2

v1.5.2b1

v1.5.2b2

v1.5.2c1

v1.5a1

v1.5a2

v1.5a3

v1.5a4

v1.5b1

v1.5b2

v1.6a1

v1.6a2

v2.*

v2.0

v2.0b1

v2.0b2

v2.0c1

v2.1

v2.1a1

v2.1a2

v2.1b1

v2.1b2

v2.1c1

v2.1c2

v2.2a3

v2.3c1

v2.3c2

v2.4

v2.4a1

v2.4a2

v2.4a3

v2.4b1

v2.4b2

v2.4c1

v3.*

v3.0a1

v3.0a2

v3.0a3

v3.0a4

v3.0a5

v3.0b1

v3.0b2

v3.0b3

v3.0rc1

v3.0rc2

v3.0rc3

v3.1

v3.10.0a1

v3.10.0a7

v3.10.0b1

v3.10.0b2

v3.10.0b3

v3.10.0b4

v3.10.0rc1

v3.10.0rc2

v3.10.1

v3.10.10

v3.10.11

v3.10.12

v3.10.13

v3.10.14

v3.10.15

v3.10.16

v3.10.17

v3.10.18

v3.10.19

v3.10.2

v3.10.20

v3.10.3

v3.10.4

v3.10.5

v3.10.6

v3.10.7

v3.10.8

v3.10.9

v3.11.0a3

v3.11.0a4

v3.11.0a5

v3.11.0a6

v3.11.0a7

v3.11.0b1

v3.11.0b2

v3.11.0b3

v3.11.0b4

v3.11.0b5

v3.11.0rc1

v3.11.0rc2

v3.11.1

v3.11.10

v3.11.11

v3.11.12

v3.11.13

v3.11.14

v3.11.15

v3.11.2

v3.11.3

v3.11.4

v3.11.5

v3.11.6

v3.11.7

v3.11.8

v3.11.9

v3.12.0

v3.12.0a1

v3.12.0a2

v3.12.0a3

v3.12.0a4

v3.12.0a5

v3.12.0a6

v3.12.0a7

v3.12.0b1

v3.12.0b2

v3.12.0b3

v3.12.0b4

v3.12.0rc1

v3.12.0rc2

v3.12.0rc3

v3.12.1

v3.12.10

v3.12.11

v3.12.12

v3.12.13

v3.12.2

v3.12.3

v3.12.4

v3.12.5

v3.12.6

v3.12.7

v3.12.8

v3.12.9

v3.13.0

v3.13.0a1

v3.13.0a2

v3.13.0a3

v3.13.0a4

v3.13.0a5

v3.13.0a6

v3.13.0b1

v3.13.0b2

v3.13.0b3

v3.13.0b4

v3.13.0rc1

v3.13.0rc2

v3.13.0rc3

v3.13.1

v3.13.10

v3.13.11

v3.13.12

v3.13.2

v3.13.3

v3.13.4

v3.13.5

v3.13.6

v3.13.7

v3.13.8

v3.14.0

v3.14.0a1

v3.14.0a2

v3.14.0a3

v3.14.0a4

v3.14.0a5

v3.14.0a6

v3.14.0a7

v3.14.0b1

v3.14.1

v3.14.2

v3.14.3

v3.15.0a1

v3.15.0a2

v3.15.0a3

v3.15.0a4

v3.15.0a5

v3.15.0a6

v3.15.0a7

v3.1a1

v3.1a2

v3.1b1

v3.1rc1

v3.1rc2

v3.2a1

v3.2a2

v3.2a3

v3.2a4

v3.2b1

v3.2b2

v3.2rc1

v3.2rc2

v3.2rc3

v3.3.0a2

v3.3.0a3

v3.3.0a4

v3.3.0b1

v3.3.0b2

v3.3.0rc1

v3.3.0rc2

v3.3.0rc3

v3.4.0a1

v3.4.0a2

v3.4.0a3

v3.4.0a4

v3.4.0b1

v3.4.0b2

v3.4.0b3

v3.5.0a1

v3.5.0a2

v3.5.0a3

v3.5.0a4

v3.5.0b1

v3.6.0a3

v3.6.0b1

v3.7.0a2

v3.9.0a2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-13462.json"