CVE-2025-8194: 
Rocky Linux vulnerability analysis and mitigation

A high severity vulnerability (CVE-2025-8194) was discovered in Python's tarfile module affecting the TarFile extraction and entry enumeration APIs. The vulnerability was disclosed on July 28, 2025, and affects all Python versions prior to 3.14.0. The flaw exists in the tar implementation which would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives (NVD, Security Online).

The vulnerability lies in the TarFile extraction and entry enumeration APIs of CPython's standard tarfile module. When a .tar archive contains an entry with a negative offset, Python's extraction routines fail to validate the offset, leading to an infinite loop. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop') (NVD).

The vulnerability can lead to resource exhaustion, application hangs, system unresponsiveness, and denial-of-service conditions when processing maliciously crafted tar archives. Attackers can exploit this flaw by crafting tar files with specifically malformed metadata that causes the parsing process to stall indefinitely (Security Online).

For systems unable to upgrade to Python 3.14.0, a temporary mitigation patch can be applied by including specific code after importing the tarfile module. The patch introduces a check to raise an exception if a negative offset is encountered, effectively neutralizing the malicious payload. The patch is available at GitHub Gist.