VDB
BIT-python-2025-4138
BIT-python-2025-4138
PUBLISHED
CVSS 7.5 HIGH
Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | python | 0, 3.10.0, 3.11.0 |
Exploit Intelligence
- CVE-2025-4138 / CVE-2025-4517 — Python tarfile PATH_MAX Symlink Filter Bypass (github-poc-repo)
- A Python script to generate a malicious tar archive that exploits CVE-2025-4138 / CVE-2025-4517. (github-poc-repo)
- Tarfile module directory traversal vulnerability ( with overflow crossed Directory ) --> Lead to Privilege escalation (github-poc-repo)
- CVE-2025-4138 - Python Arbitrary file write outside extraction directory (github-poc-repo)
- d3vn0mi/CVE-2025-4138-POC (github-poc-repo)
- d3vn0mi/CVE-2025-4138-POC (github-poc)
- Tarfile module directory traversal vulnerability ( with overflow crossed Directory ) --> Lead to Privilege escalation (github-poc)
- A Python script to generate a malicious tar archive that exploits CVE-2025-4138 / CVE-2025-4517. (github-poc)
- CVE-2025-4138 - Python Arbitrary file write outside extraction directory (github-poc)
- CVE-2025-4138 / CVE-2025-4517 — Python tarfile PATH_MAX Symlink Filter Bypass (github-poc)
…and 1 more exploits
Timeline
- Jul 10, 2025 CVE Published
- Aug 11, 2025 CVE Updated
References
- https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f url
- https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da url
- https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9 url
- https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a url
- https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e url
- https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a url
- https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a url
- https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01 url
- https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1 url
- https://github.com/python/cpython/issues/135034 url
- https://github.com/python/cpython/pull/135037 url
- https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/ url
- https://nvd.nist.gov/vuln/detail/CVE-2025-4138 url