Python Tarfile Vulnerability (CVE-2025-8194) Allows DoS via Malicious Archives
Ddos 
A newly discovered vulnerability in Python’s tarfile module, identified as CVE-2025-8194, threatens to hang applications that process malicious archive files—triggering infinite loops and potential denial-of-service (DoS) attacks. This flaw affects all versions of Python prior to 3.14.0 and has been rated 7.5 (High) on the CVSS scale.
“The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives,” the advisory warns.
The vulnerability lies within the TarFile extraction and entry enumeration APIs in CPython’s standard tarfile module. When a .tar archive contains an entry with a negative offset, Python’s extraction routines fail to validate the offset, leading to an infinite loop.
Attackers can exploit this flaw by crafting tar files with specifically malformed metadata. When a vulnerable application attempts to list or extract contents from these archives, the parsing process stalls indefinitely—potentially causing:
- Resource exhaustion
- Application hangs
- System unresponsiveness
- Denial-of-service conditions
While the official patch has been implemented in Python 3.14.0, developers using older versions of Python can apply a temporary mitigation by patching the module in runtime:
This patch introduces a check to raise an exception if a negative offset is encountered, effectively neutralizing the malicious payload.
Related Posts:
- CRITICAL (CVSS 9.4) Python ‘tarfile’ Vulnerability: Arbitrary Filesystem Writes Possible!
- Critical Python Tarfile Flaw (CVE-2025-4517, CVSS 9.4): Arbitrary File Write, PoC Available
- Widespread Outage: CrowdStrike Update Affects 8.5 Million Windows Users
- OpenAI Considers Ads for ChatGPT: Will Free Users Pay the Price?
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
