Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

CPython is the primary and reference implementation of the Python programming language. Allows modifying some file metadata (e.g., last modified) with `filter="data"` or file permissions (chmod) with `filter="tar"` of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using `TarFile.extractall()` or `TarFile.extract()` using the `filter= parameter` with a value of "data" or "tar". See the tarfile extraction filters documentation: https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later, the default value of `filter= changed` from "no filtering" to "data", so if you are relying on this new default behavior, then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions, which are tar archives, as source distributions already allow arbitrary code execution during the build process. However, when evaluating source distributions, it's important to avoid installing source distributions with suspicious links. This issue affects CPython versions 3.8, 3.8.17 through 3.8.20, 3.9.17 through 3.9.22, 3.10.12 through 3.10.17, 3.11.4 through 3.11.12, 3.12.0b1 through 3.12.10, 3.13.0a1 through 3.13.3, and 3.14.0a1 through 3.14.0b2. This has the same fix as CVE-2025-4138, CVE-2025-4330, and CVE-2025-4517.