Python CPython Windows ZIP Archive Extraction Vulnerability in shutil.unpack_archive

A vulnerability exists in the Python CPython standard library's shutil module, specifically in the unpack_archive() function, which handles ZIP file extraction. On Windows, if a ZIP archive contains absolute paths with a drive prefix, such as 'D:/...', the files can be extracted outside the designated target directory. This issue arises because the function does not properly sanitize Windows-specific path formats, allowing crafted ZIP files to escape the intended extraction location. This vulnerability is not present on other operating systems.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended extraction directory on Windows.

Reproduction

The vulnerability can be reproduced by creating a ZIP archive that includes a file with a drive-prefixed name, such as 'D:/shutil_outside_min.txt'. When this archive is extracted using shutil.unpack_archive() with the extract_dir parameter set to a directory on a different drive, the file will be written outside the specified extraction directory.

Remediation

The vulnerability has been fixed in Python versions 3.11.16, 3.12.9, 3.13.5, 3.14.3, and 3.15.0. Users should upgrade to one of these versions.