CVE-2025-13462
LOWCPython Tarfile Archive Misinterpretation via AREGTYPE Block Normalization
Title source: llmDescription
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
References (9)
Core 9
Core References
Issue Tracking patch
https://github.com/python/cpython/pull/143934
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/141707
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
Scores
CVSS v3
3.3
EPSS
0.0016
EPSS Percentile
5.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
CWE-434
CWE-74
Status
published
Products (6)
python/python
3.15.0 alpha1 (7 CPE variants)
python/python
< 3.13.13
Python Software Foundation/CPython
< 3.13.13
Python Software Foundation/CPython
< 3.15.0
Python Software Foundation/CPython
3.14.0 - 3.14.4
Python Software Foundation/CPython
3.15.0a1 - 3.15.0a8
Published
Mar 12, 2026
Tracked Since
Mar 13, 2026