CVE-2025-13462 LOW

CVE-2025-13462: tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

Vendor Python Software Foundation
Product CPython
Published March 12, 2026
Last update June 4, 2026

CVSS base score

2.0/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Key dates

02Disclosure timeline

March 12, 2026 CVE published
June 4, 2026 Record updated