CVE-2024-12718: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Python Software Foundation CPython
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
AI Analysis
Technical Summary
CVE-2024-12718 is a medium-severity path traversal vulnerability (CWE-22) affecting the Python Software Foundation's CPython implementation, specifically versions 3.12 and later. The issue arises in the tarfile module when extracting tar archives using the TarFile.extractall() or TarFile.extract() methods with the filter parameter set to "data" or "tar". This vulnerability allows an attacker to modify file metadata such as last modified timestamps or file permissions (chmod) on files outside the intended extraction directory. The root cause is improper limitation of pathname traversal, enabling crafted tar archives to escape the extraction directory constraints and alter files elsewhere on the filesystem. Notably, this vulnerability does not significantly impact the installation of source distributions packaged as tar archives, since arbitrary code execution is already possible during their build process. However, it poses a risk when extracting untrusted tar archives in environments that rely on these filtering options. The vulnerability is present starting with Python 3.12, and from Python 3.14 onwards, the default filter value changed to "data", increasing the risk for users relying on default behavior. The CVSS v3.1 base score is 5.3, reflecting a network-exploitable vulnerability with low complexity, no privileges or user interaction required, and an impact limited to integrity (modification of file metadata), without affecting confidentiality or availability. There are no known exploits in the wild at this time, and no patches have been linked yet. Users of affected Python versions who extract tar archives with these filters should be aware of the risk of unauthorized file metadata modification outside the extraction directory.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized modification of file metadata or permissions on critical systems if untrusted tar archives are extracted using the vulnerable Python tarfile module with the specified filters. While it does not allow direct code execution or data disclosure, altering file timestamps or permissions can facilitate further attacks such as privilege escalation, evasion of security controls, or disruption of system integrity. Organizations relying on automated deployment, CI/CD pipelines, or software distribution mechanisms that use Python 3.12+ and extract tar archives with these filters are particularly at risk. This includes software vendors, cloud service providers, and enterprises using Python-based automation tools. The change in default filter behavior in Python 3.14 increases the attack surface for users unaware of this change. Given the widespread use of Python across European industries, including finance, manufacturing, and government sectors, exploitation could undermine trust in software supply chains and operational stability. However, the lack of known exploits and the medium severity score suggest the immediate risk is moderate but should not be ignored.
Mitigation Recommendations
1. Avoid extracting untrusted tar archives using the tarfile module with filter="data" or filter="tar" in Python versions 3.12 and later. 2. Upgrade to the latest Python version once patches addressing this vulnerability are released. 3. Implement strict validation and sanitization of tar archive contents before extraction, including checking for path traversal attempts and suspicious file metadata changes. 4. Use alternative extraction methods or libraries that enforce strict directory confinement and do not rely on the vulnerable filter options. 5. Monitor file system changes, especially metadata and permission modifications, in directories where tar archives are extracted to detect anomalous activity. 6. Educate developers and DevOps teams about the change in default filter behavior starting with Python 3.14 to prevent inadvertent exposure. 7. Employ sandboxing or containerization for processes that handle untrusted archives to limit the impact of potential exploitation. 8. Review and harden CI/CD pipelines and software supply chain processes to minimize the risk of malicious tar archives being introduced.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-12718: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Python Software Foundation CPython
Description
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
AI-Powered Analysis
Technical Analysis
CVE-2024-12718 is a medium-severity path traversal vulnerability (CWE-22) affecting the Python Software Foundation's CPython implementation, specifically versions 3.12 and later. The issue arises in the tarfile module when extracting tar archives using the TarFile.extractall() or TarFile.extract() methods with the filter parameter set to "data" or "tar". This vulnerability allows an attacker to modify file metadata such as last modified timestamps or file permissions (chmod) on files outside the intended extraction directory. The root cause is improper limitation of pathname traversal, enabling crafted tar archives to escape the extraction directory constraints and alter files elsewhere on the filesystem. Notably, this vulnerability does not significantly impact the installation of source distributions packaged as tar archives, since arbitrary code execution is already possible during their build process. However, it poses a risk when extracting untrusted tar archives in environments that rely on these filtering options. The vulnerability is present starting with Python 3.12, and from Python 3.14 onwards, the default filter value changed to "data", increasing the risk for users relying on default behavior. The CVSS v3.1 base score is 5.3, reflecting a network-exploitable vulnerability with low complexity, no privileges or user interaction required, and an impact limited to integrity (modification of file metadata), without affecting confidentiality or availability. There are no known exploits in the wild at this time, and no patches have been linked yet. Users of affected Python versions who extract tar archives with these filters should be aware of the risk of unauthorized file metadata modification outside the extraction directory.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized modification of file metadata or permissions on critical systems if untrusted tar archives are extracted using the vulnerable Python tarfile module with the specified filters. While it does not allow direct code execution or data disclosure, altering file timestamps or permissions can facilitate further attacks such as privilege escalation, evasion of security controls, or disruption of system integrity. Organizations relying on automated deployment, CI/CD pipelines, or software distribution mechanisms that use Python 3.12+ and extract tar archives with these filters are particularly at risk. This includes software vendors, cloud service providers, and enterprises using Python-based automation tools. The change in default filter behavior in Python 3.14 increases the attack surface for users unaware of this change. Given the widespread use of Python across European industries, including finance, manufacturing, and government sectors, exploitation could undermine trust in software supply chains and operational stability. However, the lack of known exploits and the medium severity score suggest the immediate risk is moderate but should not be ignored.
Mitigation Recommendations
1. Avoid extracting untrusted tar archives using the tarfile module with filter="data" or filter="tar" in Python versions 3.12 and later. 2. Upgrade to the latest Python version once patches addressing this vulnerability are released. 3. Implement strict validation and sanitization of tar archive contents before extraction, including checking for path traversal attempts and suspicious file metadata changes. 4. Use alternative extraction methods or libraries that enforce strict directory confinement and do not rely on the vulnerable filter options. 5. Monitor file system changes, especially metadata and permission modifications, in directories where tar archives are extracted to detect anomalous activity. 6. Educate developers and DevOps teams about the change in default filter behavior starting with Python 3.14 to prevent inadvertent exposure. 7. Employ sandboxing or containerization for processes that handle untrusted archives to limit the impact of potential exploitation. 8. Review and harden CI/CD pipelines and software supply chain processes to minimize the risk of malicious tar archives being introduced.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- PSF
- Date Reserved
- 2024-12-17T17:04:51.209Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683ef51d182aa0cae27c315d
Added to database: 6/3/2025, 1:14:05 PM
Last enriched: 7/3/2025, 6:39:37 PM
Last updated: 8/15/2025, 2:01:41 AM
Views: 38
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.