DEBIAN-CVE-2025-8194

DEBIAN-CVE-2025-8194 PUBLISHED CVSS 7.5 HIGH

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:14	python3.13	3.13.5-2, 0, 3.13.5-2
Debian:14	pypy3	*, 7.3.20+dfsg, 7.3.20+dfsg
Debian:12	pypy3	7.3.19+dfsg, 7.3.18+dfsg, 7.3.16+dfsg
Debian:11	pypy3	7.3.20+dfsg, 7.3.20+dfsg, 7.3.21+dfsg
Debian:13	python3.13	3.13.5-2, 0, 3.13.9-1
Debian:11	python2.7	2.7.18-10, 2.7.18-12, 2.7.18-13
Debian:12	python3.11	3.11.2-6+deb12u1, 3.11.2-6, 0
Debian:11	python3.9	3.9.2-1, 3.9.2-1+deb11u2, 3.9.2-1+deb11u3
Debian:13	pypy3	0, 7.3.19+dfsg, 7.3.20+dfsg

Timeline

Jul 28, 2025 CVE Published
May 16, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-8194 advisory

Open in Interactive Console →