CVE-2025-8194
HIGHCPython TarFile Extraction Infinite Loop Vulnerability
Title source: llmDescription
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
References (13)
Core 13
Core References
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/130577
Issue Tracking patch
https://github.com/python/cpython/pull/137027
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/
Various Sources mitigation
https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
Scores
CVSS v3
7.5
EPSS
0.0059
EPSS Percentile
43.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-835
Status
published
Products (7)
Python Software Foundation/CPython
< 3.10.19
Python Software Foundation/CPython
< 3.9.24
Python Software Foundation/CPython
3.10.0 - 3.10.19
Python Software Foundation/CPython
3.11.0 - 3.11.14
Python Software Foundation/CPython
3.12.0 - 3.12.12
Python Software Foundation/CPython
3.13.0 - 3.13.6
Python Software Foundation/CPython
3.14.0a1 - 3.14.0rc2
Published
Jul 28, 2025
Tracked Since
Feb 18, 2026