CVE-2025-4435

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/4xxx/CVE-2025-4435.json",
    "cna_assigner": "PSF"
}

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type

GIT

Repo

https://github.com/python/cpython

Events

Introduced

deaf509e8fc6e0363bd6f26d52ad42f976ec42f2

Introduced

0fb18b02c8ad56299d6a2910be0bab8ad601ef24

Introduced

60403a5409ff2c3f3b07dd2ca91a7a3e096839c7

Introduced

b092705907c758d4f9742028652c9802f9f03dd3

Fixed

88663ef89ba3576df02cc818c653f91c7d5dd023

Fixed

498b971ea3673012a1d4b21860b229d55fc6e575

Fixed

55fee9cf216abe4ec0d1139f94b1930fbd0c7644

Fixed

8a526ec7cbea8fafc9dae4b3dd6371906b9be342

Fixed

26d485d12255a10a8e965b561e7d8a70a732ec69

Fixed

19de092debb3d7e832e5672cc2f7b788d35951da

Fixed

28463dba112af719df1e8b0391c46787ad756dd9

Fixed

3612d8f51741b11f36f8fb0494d79086bac9390a

Fixed

4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e

Fixed

9c1110ef6652687d7c55f590f909720eddde965a

Fixed

9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a

Fixed

aa9eb5f757ceff461e6e996f12c89e5d9b583b01

Fixed

dd8f187d0746da151e0025c51680979ac5b4cfb1

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.10.18"
        },
        {
            "introduced": "3.11.0"
        },
        {
            "fixed": "3.11.13"
        },
        {
            "introduced": "3.12.0"
        },
        {
            "fixed": "3.12.11"
        },
        {
            "introduced": "3.13.0"
        },
        {
            "fixed": "3.13.4"
        },
        {
            "introduced": "3.14.0a1"
        },
        {
            "fixed": "3.14.0b3"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*

v0.9.8

v0.9.9

v1.*

v1.0.1

v1.0.2

v1.1

v1.1.1

v1.2

v1.2b1

v1.2b2

v1.2b3

v1.2b4

v1.3

v1.3b1

v1.4

v1.4b1

v1.4b2

v1.4b3

v1.5

v1.5.1

v1.5.2

v1.5.2a1

v1.5.2a2

v1.5.2b1

v1.5.2b2

v1.5.2c1

v1.5a1

v1.5a2

v1.5a3

v1.5a4

v1.5b1

v1.5b2

v1.6a1

v1.6a2

v2.*

v2.0

v2.0b1

v2.0b2

v2.0c1

v2.1

v2.1a1

v2.1a2

v2.1b1

v2.1b2

v2.1c1

v2.1c2

v2.2a3

v2.3c1

v2.3c2

v2.4

v2.4a1

v2.4a2

v2.4a3

v2.4b1

v2.4b2

v2.4c1

v3.*

v3.0a1

v3.0a2

v3.0a3

v3.0a4

v3.0a5

v3.0b1

v3.0b2

v3.0b3

v3.0rc1

v3.0rc2

v3.0rc3

v3.1

v3.10.0a1

v3.10.0a7

v3.10.0b1

v3.10.0b2

v3.10.0b3

v3.10.0b4

v3.10.0rc1

v3.10.0rc2

v3.10.1

v3.10.10

v3.10.11

v3.10.12

v3.10.13

v3.10.14

v3.10.15

v3.10.16

v3.10.17

v3.10.2

v3.10.3

v3.10.4

v3.10.5

v3.10.6

v3.10.7

v3.10.8

v3.10.9

v3.11.0a3

v3.11.0a4

v3.11.0a5

v3.11.0a6

v3.11.0a7

v3.11.0b1

v3.11.0b2

v3.11.0b3

v3.11.0b4

v3.11.0b5

v3.11.0rc1

v3.11.0rc2

v3.11.1

v3.11.10

v3.11.11

v3.11.12

v3.11.2

v3.11.3

v3.11.4

v3.11.5

v3.11.6

v3.11.7

v3.11.8

v3.11.9

v3.12.0

v3.12.1

v3.12.10

v3.12.2

v3.12.3

v3.12.4

v3.12.5

v3.12.6

v3.12.7

v3.12.8

v3.12.9

v3.13.0

v3.13.1

v3.13.2

v3.13.3

v3.14.0b1

v3.14.0b2

v3.1a1

v3.1a2

v3.1b1

v3.1rc1

v3.1rc2

v3.2a1

v3.2a2

v3.2a3

v3.2a4

v3.2b1

v3.2b2

v3.2rc1

v3.2rc2

v3.2rc3

v3.3.0a2

v3.3.0a3

v3.3.0a4

v3.3.0b1

v3.3.0b2

v3.3.0rc1

v3.3.0rc2

v3.3.0rc3

v3.4.0a1

v3.4.0a2

v3.4.0a3

v3.4.0a4

v3.4.0b1

v3.4.0b2

v3.4.0b3

v3.5.0a1

v3.5.0a2

v3.5.0a3

v3.5.0a4

v3.5.0b1

v3.6.0a3

v3.6.0b1

v3.7.0a2

v3.9.0a2

v3.9.0b1

v3.9.0b3

v3.9.0b5

v3.9.11

v3.9.12

v3.9.13

v3.9.14

v3.9.15

v3.9.16

v3.9.17

v3.9.18

v3.9.19

v3.9.2

v3.9.20

v3.9.21

v3.9.22

v3.9.2rc1

v3.9.5

v3.9.6

v3.9.7

v3.9.8

v3.9.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4435.json"