What is GHSA-9qpv-486p-2v4h?

GHSA-9qpv-486p-2v4h is a security advisory published by GitHub Security Advisories with Low severity. The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even...

Which CVE IDs does GHSA-9qpv-486p-2v4h cover?

GHSA-9qpv-486p-2v4h covers the following CVE IDs: CVE-2025-13462. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-9qpv-486p-2v4h?

GHSA-9qpv-486p-2v4h has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

GHSA-9qpv-486p-2v4hLowCVSS 9.8

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even...

Vendor

GitHub Security Advisories

Published

March 12, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2025-13462 →

📋 Description

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

🔗 References (11)

https://nvd.nist.gov/vuln/detail/CVE-2025-13462
https://github.com/python/cpython/issues/141707
https://github.com/python/cpython/pull/143934
https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE
https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab
https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114
https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406
https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
https://github.com/advisories/GHSA-9qpv-486p-2v4h