GrepRules
Sign inPublish rule
Explore/cve-2025-8917-python-tarfile-incomplete-symlink-validation

CVE-2025-8917: Python Tarfile Incomplete Symlink Validation

Tarfile extraction incorporates custom member validation (e.g., mitigating CVE-2007-4559) but fails to validate symbolic or hard link targets (`member.linkname`, `member.issym()`, `member.islnk()`). This omission allows path traversal via malicious tarfiles with links pointing outside the intended extraction directory. To fix, validate `linkname` destination

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0Python
greprules fetch cve-2025-8917-python-tarfile-incomplete-symlink-validation --engine opengrep

Description

Tarfile extraction incorporates custom member validation (e.g., mitigating CVE-2007-4559) but fails to validate symbolic or hard link targets (`member.linkname`, `member.issym()`, `member.islnk()`). This omission allows path traversal via malicious tarfiles with links pointing outside the intended extraction directory. To fix, validate `linkname` destination

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 81How quality works
Included packs
2 packs