CVE-2025-13462 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-13462

CVE-2025-13462

March 12, 2026

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Related Resources (6)

https://github.com/python/cpython/pull/143934

https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/

https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017

https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7

https://github.com/python/cpython/issues/141707

https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab

Do you need more information?

CVSS v4

Base Score:

Attack Vector

LOCAL

Attack Complexity

HIGH

Attack Requirements

PRESENT

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

2.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Improper Input Validation

CWE-20

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

EPSS

Base Score:

0.01

Products

Solutions

Resources

Company

Compare

Developer Tools