Vulnerability DatabaseCVE-2025-13462
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-13462
Published:March 12, 2026
Updated:May 17, 2026
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
Related Resources (8)
https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406
https://github.com/python/cpython/issues/141707
https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
https://github.com/python/cpython/pull/143934
https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114
https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab
Do you need more information?
Contact Us
CVSS v4
Base Score:
2
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
2.5
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Input Validation
CWE-20
Unrestricted Upload of File with Dangerous Type
CWE-434
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74
EPSS
Base Score:
0.01