Share
## https://sploitus.com/exploit?id=5082A5F9-2C69-5B9A-9CC3-86969E9C2A4A
# CVE-2025-4138 โ€” Python tarfile `filter="data"` Bypass

Arbitrary file write outside the extraction directory via PATH_MAX symlink chain.

## Affected Versions

- Python 3.12.0 โ€“ 3.12.10
- Python 3.13.0 โ€“ 3.13.3
- Fixed in 3.12.11 / 3.13.4

## Credit: 

Reporter: Caleb Brown (Google)

## How It Works

Python's `tarfile` data filter validates symlink targets using `os.path.realpath()`. When the resolved path exceeds PATH_MAX (4096 bytes on Linux), `realpath()` silently stops resolving and appends remaining components โ€” including `../` โ€” as literal strings. The filter sees a safe path; the kernel follows the real traversal.

The exploit builds a tar with four stages:

1. **Symlink chain** โ€” 16 levels of long directories (247 chars each) with short symlink aliases (`a`โ†’`ddd...`, `b`โ†’`ddd...`). Inflates the resolved path to ~3968 bytes.
2. **Pivot symlink** โ€” `../` ร— 16 at the end of the chain. `realpath()` overflows and can't resolve it. Kernel walks back to the extraction root.
3. **Escape symlink** โ€” Routes through the pivot, up to `/`, and down to the target directory.
4. **Payload file** โ€” Written through the escape symlink to the target path as root.

## Usage

```bash
python3 CVE-2025-4138_tarfile_filter_bypass.py \
    -o evil.tar \
    -t /root/.ssh/authorized_keys \
    -p /tmp/key.pub \
    -m 0600
```

| Flag | Description |
|------|-------------|
| `-o` | Output tar path |
| `-t` | Absolute path of file to write on target |
| `-p` | Local file to use as payload content |
| `-m` | Octal file permissions (default: `0644`) |

## References

- [NVD โ€” CVE-2025-4138](https://nvd.nist.gov/vuln/detail/cve-2025-4138)
- [GHSA-hgqp-3mmf-7h8f](https://github.com/advisories/GHSA-hgqp-3mmf-7h8f)

For authorized security testing and CTF use only.