René's URL Explorer Experiment


Title: Multiple tarfile extraction filter bypasses (`filter="tar"`/`filter="data"`) · Issue #135034 · python/cpython · GitHub

Open Graph Title: Multiple tarfile extraction filter bypasses (`filter="tar"`/`filter="data"`) · Issue #135034 · python/cpython

X Title: Multiple tarfile extraction filter bypasses (`filter="tar"`/`filter="data"`) · Issue #135034 · python/cpython

Description: Bug description: Public issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. See full advisory on security-announce. [edit @encukou]: Also addresses CVE-2025-4435. Sorry for leaving that out of the commit mes...

Open Graph Description: Bug description: Public issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. See full advisory on security-announce. [edit @encukou]: Also addresses CVE-2025-4435. Sorr...

X Description: Bug description: Public issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. See full advisory on security-announce. [edit @encukou]: Also addresses CVE-2025-4435. Sorr...

Opengraph URL: https://github.com/python/cpython/issues/135034

X: @github

direct link

Domain: github.com

Hey, it has json ld scripts: 
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Multiple tarfile extraction filter bypasses (`filter=\"tar\"`/`filter=\"data\"`)","articleBody":"### Bug description:\n\nPublic issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. [See full advisory on security-announce](https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/).\n\n[edit @encukou]: Also addresses  CVE-2025-4435. Sorry for leaving that out of the commit messages.\n\n### CPython versions tested on:\n\nCPython main branch\n\n### Operating systems tested on:\n\n_No response_\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-135037\n* gh-135064\n* gh-135065\n* gh-135066\n* gh-135068\n* gh-135070\n* gh-135084\n* gh-135093\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/sethmlarson","@type":"Person","name":"sethmlarson"},"datePublished":"2025-06-02T15:57:00.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/135034/cpython/issues/135034"}
route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:f291c515-a9d4-45f9-7a63-e10f314eb6bf
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id87B2:20E038:7221:90AB:696B30E7
html-safe-nonce8cd47a11449df31f53911ba2708cd51d4e9f3adbec0244327f8013379d7e2465
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4N0IyOjIwRTAzODo3MjIxOjkwQUI6Njk2QjMwRTciLCJ2aXNpdG9yX2lkIjoiODkzNTcxMjc5MDA0Mjg0OTUxMSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmacdb0b97f7e3e458f04e0bcbbf0b5f5011178c0e811cbf137b4df12924fc1b6664
hovercard-subject-tagissue:3110750130
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/python/cpython/135034/issue_layout
twitter:imagehttps://opengraph.githubassets.com/691b422bbe8b15f1937d549349ddca7b3e7c6368eef4a54d89ab79246c366b29/python/cpython/issues/135034
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/691b422bbe8b15f1937d549349ddca7b3e7c6368eef4a54d89ab79246c366b29/python/cpython/issues/135034
og:image:altBug description: Public issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. See full advisory on security-announce. [edit @encukou]: Also addresses CVE-2025-4435. Sorr...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamesethmlarson
hostnamegithub.com
expected-hostnamegithub.com
None5f99f7c1d70f01da5b93e5ca90303359738944d8ab470e396496262c66e60b8d
turbo-cache-controlno-preview
go-importgithub.com/python/cpython git https://github.com/python/cpython.git
octolytics-dimension-user_id1525981
octolytics-dimension-user_loginpython
octolytics-dimension-repository_id81598961
octolytics-dimension-repository_nwopython/cpython
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id81598961
octolytics-dimension-repository_network_root_nwopython/cpython
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release82560a55c6b2054555076f46e683151ee28a19bc
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/python/cpython/issues/135034#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fissues%2F135034
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub SparkBuild and deploy intelligent appshttps://github.com/features/spark
GitHub ModelsManage and compare promptshttps://github.com/features/models
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fissues%2F135034
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=python%2Fcpython
Reloadhttps://github.com/python/cpython/issues/135034
Reloadhttps://github.com/python/cpython/issues/135034
Reloadhttps://github.com/python/cpython/issues/135034
python https://github.com/python
cpythonhttps://github.com/python/cpython
Please reload this pagehttps://github.com/python/cpython/issues/135034
Notifications https://github.com/login?return_to=%2Fpython%2Fcpython
Fork 33.9k https://github.com/login?return_to=%2Fpython%2Fcpython
Star 71.1k https://github.com/login?return_to=%2Fpython%2Fcpython
Code https://github.com/python/cpython
Issues 5k+ https://github.com/python/cpython/issues
Pull requests 2.1k https://github.com/python/cpython/pulls
Actions https://github.com/python/cpython/actions
Projects 31 https://github.com/python/cpython/projects
Security Uh oh! There was an error while loading. Please reload this page. https://github.com/python/cpython/security
Please reload this pagehttps://github.com/python/cpython/issues/135034
Insights https://github.com/python/cpython/pulse
Code https://github.com/python/cpython
Issues https://github.com/python/cpython/issues
Pull requests https://github.com/python/cpython/pulls
Actions https://github.com/python/cpython/actions
Projects https://github.com/python/cpython/projects
Security https://github.com/python/cpython/security
Insights https://github.com/python/cpython/pulse
New issuehttps://github.com/login?return_to=https://github.com/python/cpython/issues/135034
New issuehttps://github.com/login?return_to=https://github.com/python/cpython/issues/135034
Multiple tarfile extraction filter bypasses (filter="tar"/filter="data")https://github.com/python/cpython/issues/135034#top
triagedThe issue has been accepted as valid by a triager.https://github.com/python/cpython/issues?q=state%3Aopen%20label%3A%22triaged%22
type-securityA security issuehttps://github.com/python/cpython/issues?q=state%3Aopen%20label%3A%22type-security%22
https://github.com/sethmlarson
https://github.com/sethmlarson
sethmlarsonhttps://github.com/sethmlarson
on Jun 2, 2025https://github.com/python/cpython/issues/135034#issue-3110750130
CVE-2025-4517https://github.com/advisories/GHSA-6r6c-684h-9j7p
CVE-2025-4330https://github.com/advisories/GHSA-68pj-xrp5-vccj
CVE-2025-4138https://github.com/advisories/GHSA-4g4g-fqw4-prp2
CVE-2024-12718https://github.com/advisories/GHSA-2pg8-h2j6-28xm
See full advisory on security-announcehttps://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
@encukouhttps://github.com/encukou
CVE-2025-4435https://github.com/advisories/GHSA-p72v-37h5-753v
gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') #135037https://github.com/python/cpython/pull/135037
[3.13] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037) #135064https://github.com/python/cpython/pull/135064
[3.14] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (gh-135037) #135065https://github.com/python/cpython/pull/135065
[3.12] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037) #135066https://github.com/python/cpython/pull/135066
[3.11] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037) #135068https://github.com/python/cpython/pull/135068
[3.10] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037) #135070https://github.com/python/cpython/pull/135070
[3.9] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037) #135084https://github.com/python/cpython/pull/135084
[3.12] gh-135034: Remove test_realpath_permission #135093https://github.com/python/cpython/pull/135093
triagedThe issue has been accepted as valid by a triager.https://github.com/python/cpython/issues?q=state%3Aopen%20label%3A%22triaged%22
type-securityA security issuehttps://github.com/python/cpython/issues?q=state%3Aopen%20label%3A%22type-security%22
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width

URLs of crawlers that visited me.