Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Multiple vulnerabilities in CPython lead to arbitrary writes, file permission modification, and more. Patch Immediately!
Image
Publié : 25/06/2025
- Last update: 25/06/2025
- Affected software:
→ CPython (versions from 3.10.0 before 3.10.18, from 3.11.0 before 3.11.13, from 3.12.0 before 3.12.11, from 3.13.0 before 3.13.4, from 3.14.0a1 before 3.14.0)- Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CVE/CVSS
→ CVE-2025-4517: CVSS 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
→ CVE-2025-4330: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
→ CVE-2025-4138: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
→ CVE-2024-12718: CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
→ CVE-2025-4435: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Sources
https://seclists.org/oss-sec/2025/q2/273
Risks
Multiple vulnerabilities affect the standard TarFile library for CPython. Currently, there is no indication that the vulnerability is actively exploited, but because it is a zero-day with a substantial install base, attackers can exploit it at any moment.
An attacker could exploit flaws to bypass safety checks when extracting compressed files, allowing them to write files outside intended directories, create malicious links, or tamper with system files—even when protections are supposedly enabled. Successful exploitation could lead to unauthorised access, data corruption, or malware installation, especially if your systems or third-party tools handle untrusted file uploads or archives.
Description
Multiple issues arise when extracting untrusted archives with TarFile.extractall() and TarFile.extract(), especially when using the "filter" parameter.
- CVE-2025-4517 allows for arbitrary writes outside of the extraction directory.
- CVE-2025-4330 and CVE-2025-4138 allow the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.
- CVE-2024-12718 allows modifying file permissions and metadata of files outside the extraction directory
- CVE-2025-443 When using an error level of 0 when extracting archives, filters to prevent extracting some files don't work; all files will be extracted
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4517
https://nvd.nist.gov/vuln/detail/CVE-2025-4330
https://nvd.nist.gov/vuln/detail/CVE-2025-4138
https://nvd.nist.gov/vuln/detail/CVE-2025-12718
https://nvd.nist.gov/vuln/detail/CVE-2025-4435