CVE-2025-8291

MEDIUM 4.3

ZIP64 End of Central Directory (EOCD) Locator record offset not checked

CVSS Score

4.3

EPSS Score

0.1%

EPSS Percentile

30th

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

Vendor	python software foundation
Product	cpython
Published	Oct 7, 2025
Last Updated	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new medium vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

Python Software Foundation / CPython

0 < 3.10.19 3.11.0 < 3.11.14 3.12.0 < 3.12.12 3.13.0 < 3.13.10 3.14.0 < 3.14.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

🔍 Caleb Brown (Google) Serhiy Storchaka Seth Larson