CVE-2024-12718: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Python Software Foundation CPython
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
AI Analysis
Technical Summary
This vulnerability in CPython's tarfile module (CVE-2024-12718) involves improper limitation of pathname to a restricted directory (CWE-22). When extracting tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar", attackers can modify file metadata such as last modified timestamps or file permissions outside the extraction directory. This affects Python versions 3.12 and later, with the default filter changing to "data" in Python 3.14, potentially increasing the risk if default extraction behavior is used. Earlier versions do not include the extraction filter feature and are not affected. The vulnerability does not notably affect source distribution installations due to their inherent risk profile.
Potential Impact
The vulnerability allows an attacker who can supply a crafted tar archive to modify file metadata or permissions outside the intended extraction directory during extraction. This could lead to unauthorized changes to file attributes, potentially aiding further attacks or evasion. There is no direct impact on confidentiality or availability, and no known exploits have been reported. Source distribution installations are not significantly affected due to existing risks during build processes.
Mitigation Recommendations
Patch status is not yet confirmed — check the Python Software Foundation advisory for current remediation guidance. Until a fix is available, avoid extracting untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar". For Python 3.14 or later, be aware that the default filter is "data", so explicitly specify a safer filter or avoid extraction of untrusted archives. Exercise caution when installing source distributions with suspicious links. Monitor official Python advisories for updates and patches.
CVE-2024-12718: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Python Software Foundation CPython
Description
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in CPython's tarfile module (CVE-2024-12718) involves improper limitation of pathname to a restricted directory (CWE-22). When extracting tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar", attackers can modify file metadata such as last modified timestamps or file permissions outside the extraction directory. This affects Python versions 3.12 and later, with the default filter changing to "data" in Python 3.14, potentially increasing the risk if default extraction behavior is used. Earlier versions do not include the extraction filter feature and are not affected. The vulnerability does not notably affect source distribution installations due to their inherent risk profile.
Potential Impact
The vulnerability allows an attacker who can supply a crafted tar archive to modify file metadata or permissions outside the intended extraction directory during extraction. This could lead to unauthorized changes to file attributes, potentially aiding further attacks or evasion. There is no direct impact on confidentiality or availability, and no known exploits have been reported. Source distribution installations are not significantly affected due to existing risks during build processes.
Mitigation Recommendations
Patch status is not yet confirmed — check the Python Software Foundation advisory for current remediation guidance. Until a fix is available, avoid extracting untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar". For Python 3.14 or later, be aware that the default filter is "data", so explicitly specify a safer filter or avoid extraction of untrusted archives. Exercise caution when installing source distributions with suspicious links. Monitor official Python advisories for updates and patches.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- PSF
- Date Reserved
- 2024-12-17T17:04:51.209Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683ef51d182aa0cae27c315d
Added to database: 6/3/2025, 1:14:05 PM
Last enriched: 4/22/2026, 5:44:21 AM
Last updated: 5/9/2026, 10:25:12 AM
Views: 176
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.