🔐 CVE Alert

CVE-2025-8194

HIGH 7.5

Tarfile infinite loop during parsing with negative member offset

CVSS Score
7.5
EPSS Score
0.2%
EPSS Percentile
48th

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

CWE CWE-835
Vendor python software foundation
Product cpython
Published Jul 28, 2025
Last Updated Apr 21, 2026
Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new high vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

Python Software Foundation / CPython
0 < 3.10.19 3.11.0 < 3.11.14 3.12.0 < 3.12.12 3.13.0 < 3.13.6 3.14.0a1 < 3.14.0rc2

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/python/cpython/issues/130577 github.com: https://github.com/python/cpython/pull/137027 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/ github.com: https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38 github.com: https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe gist.github.com: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 github.com: https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f github.com: https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227 github.com: https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2 github.com: https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19 github.com: https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb openwall.com: http://www.openwall.com/lists/oss-security/2025/07/28/1 openwall.com: http://www.openwall.com/lists/oss-security/2025/07/28/2

Credits

🔍 Alexander Urieles Seth Larson Ethan Furman Steve Dower