tarfile: infinite loop in CPython tarfile module (CVE-2025-8194) #shorts

Summary

In today’s episode we cover CVE-2025-8194, a denial of service vulnerability in the CPython tarfile module. Malicious tar archives with negative offsets can trigger an infinite loop and deadlock the parser, impacting any application that uses the built-in TarFile extraction or enumeration APIs.

Product details

This issue affects CPython releases before version 3.13.6 and all 3.14.0 alpha builds up to but not including 3.14.0. Distributions shipping vulnerable versions include Fedora 42 (fixed in python-3.13.6), Fedora 42 mingw-python3, Fedora 41 mingw-python3 (critical backport), openSUSE python39, and SUSE’s Python package.

Vulnerability type summary

CWE-835: Loop with Unreachable Exit Condition. A logic defect in the tar implementation fails to stop processing on negative block offsets, causing an unbounded loop and effectively a denial of service.

Details of the vulnerability

The tarfile module uses a low-level _block method to read archive blocks. A crafted archive can present a negative offset, which the code does not reject. Instead of raising an error, the parser loops indefinitely trying to process the same data. Attackers can send or host malicious tar files to freeze extraction routines or crash background services. A temporary mitigation is to monkey-patch TarInfo._block to raise InvalidHeaderError on negative counts. Upstream fixes in 3.13.6 and 3.14.0 prevent negative offsets altogether.

Conclusion

Users and packagers should upgrade to CPython 3.13.6 or later, or to 3.14.0 when it reaches stable release. Distributions have released advisories and backports—apply those updates immediately. If you cannot upgrade, apply the supplied patch to reject negative offsets in the tarfile module.

This chain involves the following actors

• Malicious Archive Author: Creates a specially crafted tar archive with negative offsets to trigger the defect
• Script or Application Developer: Uses the CPython tarfile module to extract or enumerate archives
• System Administrator or End User: Runs code that invokes tarfile extraction or iteration

This following systems are involved

• CPython tarfile module (Parsing, enumerating and extracting files from tar archives): Contains the vulnerable TarFile and TarInfo._block logic
• Target Host Environment (Runs Python interpreter and user applications): Executes maliciously crafted tar extraction leading to denial of service

Attack entry point

Remediation actions

Exploitation actions

• https://github.com/python/cpython/issues/130577
• https://github.com/python/cpython/pull/137027
• https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/
• https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38
• https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe
• https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
• https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f
• https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227
• [2025-08-13] Fedora 42 releases Python 3.13.6 with a fix for an infinite loop vulnerability in Tarfile.
• [2025-08-12] Fedora 42 releases a security advisory for mingw-python3 addressing CVE-2025-8194 with a backport fix.
• [2025-08-12] Fedora 41 releases a critical Cpython infinite loop fix for mingw-python3, backporting the fix for CVE-2025-8194.
• [2025-08-05] openSUSE issues a security advisory for a moderate Denial of Service vulnerability in python39.
• [2025-08-05] SUSE issues a security advisory for a moderate denial of service vulnerability in Python, identified as CVE-2025-8194.