Fluid Attacks Database

Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python2.7	=2.7.18-10 \|\| =2.7.18-11 \|\| =2.7.18-12 \|\| =2.7.18-13 \|\| =2.7.18-13.1 \|\| =2.7.18-13.1~exp1 \|\| =2.7.18-13.2 \|\| =2.7.18-8 \|\| =2.7.18-8+deb11u1 \|\| =2.7.18-9	-
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| =3.11.2-6+deb12u2 \|\| =3.11.2-6+deb12u3 \|\| =3.11.2-6+deb12u4 \|\| =3.11.2-6+deb12u5 \|\| =3.11.2-6+deb12u6 \|\| >=0 <3.11.2-6+deb12u7	3.11.2-6+deb12u7
debian 13	python3.13	=3.13.5-2 \|\| >=0 <3.13.5-2+deb13u1	3.13.5-2+deb13u1
debian 14	python3.13	=3.13.5-2 \|\| >=0 <3.13.6-1	3.13.6-1
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| =3.9.2-1+deb11u2 \|\| =3.9.2-1+deb11u3 \|\| >=0 <3.9.2-1+deb11u4	3.9.2-1+deb11u4
debian 13	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1	-
debian 11	pypy3	=7.3.10+dfsg-1 \|\| =7.3.10~rc3+dfsg-1 \|\| =7.3.10~rc3+dfsg-2 \|\| =7.3.11+dfsg-1 \|\| =7.3.11+dfsg-2 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1 \|\| =7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| =7.3.5+dfsg-2+deb11u3 \|\| =7.3.5+dfsg-2+deb11u4 \|\| =7.3.5+dfsg-2+deb11u5 \|\| =7.3.6+dfsg-1 \|\| =7.3.6~rc2+dfsg-1 \|\| =7.3.6~rc2+dfsg-2 \|\| =7.3.7+dfsg-1 \|\| =7.3.7+dfsg-2 \|\| =7.3.7+dfsg-3 \|\| =7.3.7+dfsg-4 \|\| =7.3.7+dfsg-5 \|\| =7.3.8+dfsg-1 \|\| =7.3.8+dfsg-2 \|\| =7.3.8~rc1+dfsg-1 \|\| =7.3.8~rc1+dfsg-2 \|\| =7.3.9+dfsg-1 \|\| =7.3.9+dfsg-2 \|\| =7.3.9+dfsg-3 \|\| =7.3.9+dfsg-4 \|\| =7.3.9+dfsg-5	-
debian 12	pypy3	=7.3.11+dfsg-2 \|\| =7.3.11+dfsg-2+deb12u1 \|\| =7.3.11+dfsg-2+deb12u2 \|\| =7.3.11+dfsg-2+deb12u3 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1	-
debian 14	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| >=0 <7.3.21+dfsg-1	7.3.21+dfsg-1
rpm rhel8	python39-devel	<0:3.9.20-2.module+el8.10.0+23441+1124c1da	0:3.9.20-2.module+el8.10.0+23441+1124c1da

1-10 of 24

Aliases

1. CVE-2025-81942. NVD-2025-81943. OSV-DEBIAN-2025-81944. OSV-2025-81945. SECURITY-TRACKER-CVE-2025-8194

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.