CVE-2025-4330 is a high-severity path traversal vulnerability (CWE-22) in the Python Software Foundation's CPython implementation, specifically affecting the tarfile module's extraction functionality. The vulnerability arises when using the TarFile.extractall() or TarFile.extract() methods with the filter parameter set to "data" or "tar". This flaw allows attackers to bypass the intended extraction filters, enabling symlink targets within tar archives to point outside the designated extraction directory. Consequently, an attacker can manipulate file metadata or place files arbitrarily on the filesystem, potentially overwriting critical files or planting malicious payloads. This issue is particularly relevant starting with Python 3.14, where the default filter value changed to "data", meaning that even default extraction calls may be affected if relying on this behavior. The vulnerability does not significantly impact the installation of source distributions since those already permit arbitrary code execution during build processes, but it raises concerns when extracting untrusted tar archives in general. The CVSS v3.1 score of 7.5 reflects a high severity, with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to integrity compromise without affecting confidentiality or availability. No known exploits are currently reported in the wild, but the vulnerability poses a serious risk for applications that programmatically extract untrusted tar archives using the affected Python versions (0, 3.10.0 through 3.14.0a1).

For European organizations, this vulnerability presents a significant risk, especially for those relying on Python-based applications or automation scripts that handle tar archive extraction. The ability to write files outside the intended directory can lead to unauthorized modification of system or application files, potentially enabling privilege escalation, persistence mechanisms, or tampering with critical data. Industries such as finance, healthcare, and government, which often process large volumes of data and use Python for automation, are particularly vulnerable. The integrity compromise could disrupt business operations, lead to data corruption, or facilitate further attacks. Since no authentication or user interaction is required, attackers can exploit this remotely if the vulnerable functionality is exposed via network services or automated pipelines processing untrusted archives. The change in default behavior in Python 3.14 increases the attack surface, as developers may be unaware that their extraction code is now vulnerable by default. This could lead to widespread exposure in European organizations adopting the latest Python versions without adequate review. Additionally, supply chain security is at risk if malicious tar archives are introduced during software distribution or update processes.

European organizations should immediately audit their use of the tarfile module in Python applications, focusing on calls to TarFile.extractall() and TarFile.extract() with the filter parameter set to "data" or "tar" or relying on the default filter behavior in Python 3.14 and later. Mitigation steps include: 1) Avoid extracting untrusted tar archives or ensure archives are from verified, trusted sources. 2) Implement strict validation of tar archive contents before extraction, including checking for symlinks and path traversal attempts. 3) Use sandboxed or isolated environments for extraction processes to limit potential damage. 4) Upgrade to patched Python versions once available or apply vendor-provided patches promptly. 5) If upgrading is not immediately possible, consider using alternative extraction libraries or custom extraction logic that enforces strict path sanitization. 6) Incorporate security scanning and static analysis tools to detect unsafe extraction patterns in codebases. 7) Educate developers about the changed default filter behavior in Python 3.14 to prevent inadvertent exposure. 8) Monitor systems for unexpected file modifications or suspicious activity related to tar extraction.