CVE-2024-12718 is a vulnerability in Python's tarfile module that allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. This vulnerability affects Python versions 3.12 or later when using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter= parameter set to "data" or "tar". The vulnerability is rated as MODERATE severity (Python Security Announce).

The vulnerability exists in the tarfile extraction filtering feature introduced in Python 3.12. When using filter="data" or filter="tar" parameters during archive extraction, the module fails to properly restrict modifications to files outside the extraction directory. For Python 3.14 or later, this is particularly concerning as the default value of filter= changed from "no filtering" to "data", making any default usage potentially vulnerable (Python Security Announce).

The vulnerability allows an attacker to modify file metadata (like last modified timestamps) when using filter="data" or modify file permissions (chmod) when using filter="tar" for files that exist outside the intended extraction directory. While this doesn't allow arbitrary code execution, it could potentially be used to manipulate file attributes of sensitive system files (Python Security Announce).

The recommended mitigation is to upgrade to a fixed version of Python or apply the available patches. If upgrading or patching is not possible, a workaround is to reject all links with parent directory segments (".."): ```python

Avoid insecure segments in link names.

for member in tar.getmembers():

if member.linkname and '..' in pathlib.Path(member.linkname).parts:
    raise OSError("Tarfile with insecure segment ('..') in linkname")

Now safe to extract members with the data filter.

tar.extractall(filter="data")``` (Security Gist).