CVE-2025-4138
HIGHCPython Path Traversal via TarFile Extraction Filter Bypass
Title source: llmExploitation Summary
EIP tracks 6 public exploits for CVE-2025-4138. PoCs published by DesertDemons, thefizzyfish, run3.
AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2025-4138 and CVE-2025-4517, which involve a path traversal vulnerability in Python's tarfile module. The exploit bypasses extraction filters via a symlink chain that exceeds PATH_MAX, enabling arbitrary file writes and potential privilege escalation.
Description
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Exploits (6)
This repository contains a proof-of-concept exploit for CVE-2025-4138 and CVE-2025-4517, which involve a path traversal vulnerability in Python's tarfile module. The exploit bypasses extraction filters via a symlink chain that exceeds PATH_MAX, enabling arbitrary file writes and potential privilege escalation.
This repository contains a functional exploit for CVE-2025-4138, which bypasses Python's tarfile filter by leveraging a PATH_MAX symlink chain to achieve arbitrary file write outside the extraction directory. The exploit constructs a malicious tar file with a series of symlinks that overflow the path resolution buffer, allowing an attacker to write files to arbitrary locations on the target system.
This exploit leverages a tar symlink path traversal vulnerability (CVE-2025-4138) to escape directory restrictions and overwrite /root/.ssh/authorized_keys, achieving root RCE via SSH. The PoC automates key generation, malicious tar creation, and exploit triggering.
This repository contains a functional exploit PoC for CVE-2025-4138, a path traversal vulnerability in Python's `tarfile` module. The exploit leverages symlink chains to exceed `PATH_MAX`, bypassing safety checks and enabling arbitrary file writes outside the extraction directory.
This repository contains a functional exploit for CVE-2025-4138, a directory traversal vulnerability in Python's TarFile module. The exploit leverages symlinks and path manipulation to bypass PATH_MAX checks, allowing arbitrary file writes (e.g., SSH authorized_keys) for privilege escalation.
This repository contains a functional Python script that generates a malicious tar archive exploiting CVE-2025-4138 (Path Traversal via PATH_MAX Truncation in Python's tarfile module). The exploit creates a symlink chain to bypass path resolution checks and writes a sudoers file to grant passwordless root access.
References (12)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N