September 30, 2023

Researchers from Trellix said that they discovered a vulnerability in Python’s tarfile module affecting 350,000 open source projects, which provides a way to read and write compressed bundles of files known as tar archives by exploitation.

Tracked as CVE-2007-4559, the vulnerability surfaced on August 24, 2007, and is in extinction till today covering 5500 days. It can be exploited to potentially overwrite and hijack files on a victim’s machine, when a vulnerable application opens a malicious tar archive via tarfile


The tarfile directory traversal flaw was  reported on August 29, 2007. But already addressed one day prior by the maintainer of the tarfile module

A code change has been committed  that adds a default true  check_paths parameter and a helper function the  TarFile.extractall()  method that throws an error if a tar archive file path is insecure.

But the fix didnt address TarFile.extract() method

Warning: Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..".

Both the extract() and extractall() still posing the threat of arbitrary path traversal.

Trellix built a free tool called Creosote to scan for CVE-2007-4559. The software has already found the bug lurking in applications like Spyder IDE, an open-source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.


Trelix says tarfile is a default module in any Python project and is present in frameworks created by AWS, Facebook, Google, and Intel, and in applications for machine learning, automation, and Docker containers.

Trellix says it’s working to make repaired code available to affected projects.

Leave a Reply

%d bloggers like this: