CVE-2025-4517: 
Python Interpreter vulnerability analysis and mitigation

CVE-2025-4517 is a critical vulnerability in Python's tarfile module affecting versions 3.12 and later. The vulnerability allows arbitrary filesystem writes outside the extraction directory during extraction when using filter="data". Users are affected when using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar". For Python 3.14 or later, where the default filter value changed from "no filtering" to "data", users relying on this default behavior are also affected (Python Security, NVD).

The vulnerability exists in the tarfile module's extraction filtering feature. When using filter="data", the module fails to properly validate and normalize link targets, allowing arbitrary filesystem writes outside the intended extraction directory. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.4 (CRITICAL) by the Python Software Foundation, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L (Wiz).

An attacker can exploit this vulnerability to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code. While this vulnerability affects the installation of source distributions (tar archives), the impact is limited since source distributions already allow arbitrary code execution during the build process (Wiz).

A temporary mitigation involves checking for parent directory segments in link names before extraction: validate all link targets for '..' segments and reject any archives containing such links. The recommended long-term solution is to upgrade to a patched version of Python. For those unable to upgrade immediately, implementing link name validation before extraction can help mitigate the vulnerability (GitHub Gist, Python Security).