Python Tarfile Module Extraction Filter Bypass Vulnerability

A vulnerability exists in the Python tarfile module in versions 3.12 and later, allowing extraction filters to be bypassed. When using the TarFile.extract() or TarFile.extractall() methods with the filter parameter set to 'data' or 'tar', certain members can be extracted despite being filtered out. This issue is exacerbated in Python 3.14 and later, where the default filter is set to 'data', potentially leading to arbitrary file system writes outside the intended directory during extraction.

Impact

Exploitation of this vulnerability allows for the extraction filter to be ignored, causing filtered members to be extracted instead of skipped. This can lead to symbolic links being created outside the designated extraction directory, with the potential to overwrite files or directories.

Reproduction

To reproduce this vulnerability, set the TarFile.errorlevel to 0 and apply a filter while extracting. Despite the filter, members that should be skipped will still be extracted. This can be tested by creating a tar archive that includes symbolic links pointing outside the extraction directory, and then extracting it with the 'data' or 'tar' filter applied.

Remediation

Upgrade to Python 3.12.11 or 3.14.4, where this vulnerability has been fixed. If an immediate upgrade is not possible, avoid extracting tar files with the 'data' or 'tar' filters, or implement a workaround by rejecting links that could traverse outside the extraction directory.