CVE-2025-8194 Information

Jul 29, 2025 cve

Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:

import tarfile

def _block_patched(self count):     if count < 0: pragma: no cover         raise tarfile.InvalidHeaderError(\invalid offset)     return _block_patched._orig_block(self count)

_block_patched._orig_block = tarfile.TarInfo._block tarfile.TarInfo._block = _block_patched

Reference

https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38 https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe https://github.com/python/cpython/issues/130577 https://github.com/python/cpython/pull/137027 https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/

CNNVD-202507-3503 (Published: 2025-07-28)

Share on: