The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVE-2025-13462
Score 9.8 from GitHub Security Advisory (severity: LOW) published 2026-03-12. NVD baseline CVSS 3.3; sources differ by 6.5.
- Lower severity and no public exploit yet
A fix is available — apply it.
- CVSS v3
- 3.3
- EG Score
- 9.8(medium)
- EPSS
- 6.0%
- KEV
- Not listed
Published
March 12, 2026
Last Modified
June 11, 2026
Advisory Details (9)
Auto-updated Jun 5, 2026Mailman 3 [CVE-2025-13462]: tarfile: Skip DIRTYPE normalization during GNU long name and link handling - Security-announce - python.org
https://mail.python.org/archives/list/[email protected]/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling
Fix merged in python/cpython PR #143934 on 2026-03-11 — awaiting tagged release
https://github.com/python/cpython/pull/143934Incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined · Issue #141707 · python/cpython · GitHub
https://github.com/python/cpython/issues/141707commit d10950739a78 (python/cpython)
Fix landed in python/cpython commit d10950739a78 — awaiting tagged release
https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084commit ae99fe3a33b4 (python/cpython)
Fix landed in python/cpython commit ae99fe3a33b4 — awaiting tagged release
https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7commit 9a23b753552a (python/cpython)
Fix landed in python/cpython commit 9a23b753552a — awaiting tagged release
https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406commit 7ad3093d76a7 (python/cpython)
Fix landed in python/cpython commit 7ad3093d76a7 — awaiting tagged release
https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017commit 72dde1016493 (python/cpython)
Fix landed in python/cpython commit 72dde1016493 — awaiting tagged release
https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114commit 42d754e34c06 (python/cpython)
Fix landed in python/cpython commit 42d754e34c06 — awaiting tagged release
https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8abVendor Advisories for CVE-2025-13462(6)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- CVE-2025-13462Microsoft Security Response Center (MSRC)Low
tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
- RHSA-2026:11324Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
- RHSA-2026:10118Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
- RHSA-2026:7661Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
- RHSA-2026:7443Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
- GHSA-9qpv-486p-2v4hGitHub Security AdvisoriesLow
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even...
Patch Availability(4)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | python3-11-main-3.11.15-4.2.hum1 | 2026-04-28 | redhat |
| redhat | python3-12-main-3.12.13-3.1.hum1 | 2026-04-23 | redhat |
| redhat | python3-14-main-3.14.4-1.hum1 | 2026-04-11 | redhat |
| redhat | python3-13-main-3.13.13-1.hum1 | 2026-04-10 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 10× in last 7d / 43× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 150 total refreshes for this CVE.
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-13 22:29 UTCEPSS rescore
- 2026-07-13 22:29 UTCEPSS rescore
- 2026-07-13 06:12 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-12 05:45 UTCEPSS rescore
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-09 19:09 UTCEPSS rescore
- 2026-07-08 15:14 UTCEPSS rescore
- 2026-07-07 13:45 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:30 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 13:32 UTCOSV refresh
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
Show 75 moreShow fewer
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:48 UTCEPSS rescore
- 2026-06-14 23:17 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-12 04:23 UTCEG score recompute
- 2026-06-12 04:23 UTCVendor advisory
- 2026-06-12 04:23 UTCGHSA enrichment
- 2026-06-12 00:15 UTCEG score recompute
- 2026-06-12 00:15 UTCVendor advisory
- 2026-06-12 00:15 UTCGHSA enrichment
- 2026-06-11 15:55 UTCNVD updateCVSS v3 → 3.3 · severity → LOW
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 20:04 UTCEG score recompute
- 2026-06-10 20:04 UTCVendor advisory
- 2026-06-10 20:04 UTCGHSA enrichment
- 2026-06-10 16:01 UTCEG score recompute
- 2026-06-10 16:01 UTCVendor advisory
- 2026-06-10 16:01 UTCGHSA enrichment
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-10 10:00 UTCEG score recompute
- 2026-06-10 10:00 UTCVendor advisory
- 2026-06-10 10:00 UTCGHSA enrichment
- 2026-06-10 06:06 UTCEG score recompute
- 2026-06-10 06:06 UTCVendor advisory
- 2026-06-10 06:06 UTCGHSA enrichment
- 2026-06-10 01:53 UTCEG score recompute
- 2026-06-10 01:53 UTCVendor advisory
- 2026-06-10 01:53 UTCGHSA enrichment
- 2026-06-09 16:55 UTCEG score recompute
- 2026-06-09 16:55 UTCVendor advisory
- 2026-06-09 16:55 UTCGHSA enrichment
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 06:53 UTCEG score recompute
- 2026-06-08 06:53 UTCVendor advisory
- 2026-06-08 06:53 UTCGHSA enrichment
- 2026-06-08 02:59 UTCEG score recompute
- 2026-06-08 02:59 UTCVendor advisory
- 2026-06-08 02:59 UTCGHSA enrichment
- 2026-06-07 23:05 UTCEG score recompute
- 2026-06-07 23:05 UTCVendor advisory
- 2026-06-07 23:05 UTCGHSA enrichment
- 2026-06-07 19:07 UTCEG score recompute
- 2026-06-07 19:07 UTCVendor advisory
- 2026-06-07 19:07 UTCGHSA enrichment
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 14:53 UTCEG score recompute▲ 7.80
- 2026-06-07 14:53 UTCVendor advisory
- 2026-06-07 14:53 UTCGHSA enrichment
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
Related CVEs(same vendor + same CWE)
Same vendor
10 shownmsrc · redhat
Same CWE
10 shownCWE-20 · CWE-434
Frequently asked(5)
What is CVE-2025-13462?
When was CVE-2025-13462 disclosed?
Is CVE-2025-13462 actively exploited?
What is the CVSS score of CVE-2025-13462?
How do I remediate CVE-2025-13462?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2025-13462
Is Your Infrastructure Affected by CVE-2025-13462?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.