## https://sploitus.com/exploit?id=5082A5F9-2C69-5B9A-9CC3-86969E9C2A4A
# CVE-2025-4138 โ Python tarfile `filter="data"` Bypass
Arbitrary file write outside the extraction directory via PATH_MAX symlink chain.
## Affected Versions
- Python 3.12.0 โ 3.12.10
- Python 3.13.0 โ 3.13.3
- Fixed in 3.12.11 / 3.13.4
## Credit:
Reporter: Caleb Brown (Google)
## How It Works
Python's `tarfile` data filter validates symlink targets using `os.path.realpath()`. When the resolved path exceeds PATH_MAX (4096 bytes on Linux), `realpath()` silently stops resolving and appends remaining components โ including `../` โ as literal strings. The filter sees a safe path; the kernel follows the real traversal.
The exploit builds a tar with four stages:
1. **Symlink chain** โ 16 levels of long directories (247 chars each) with short symlink aliases (`a`โ`ddd...`, `b`โ`ddd...`). Inflates the resolved path to ~3968 bytes.
2. **Pivot symlink** โ `../` ร 16 at the end of the chain. `realpath()` overflows and can't resolve it. Kernel walks back to the extraction root.
3. **Escape symlink** โ Routes through the pivot, up to `/`, and down to the target directory.
4. **Payload file** โ Written through the escape symlink to the target path as root.
## Usage
```bash
python3 CVE-2025-4138_tarfile_filter_bypass.py \
-o evil.tar \
-t /root/.ssh/authorized_keys \
-p /tmp/key.pub \
-m 0600
```
| Flag | Description |
|------|-------------|
| `-o` | Output tar path |
| `-t` | Absolute path of file to write on target |
| `-p` | Local file to use as payload content |
| `-m` | Octal file permissions (default: `0644`) |
## References
- [NVD โ CVE-2025-4138](https://nvd.nist.gov/vuln/detail/cve-2025-4138)
- [GHSA-hgqp-3mmf-7h8f](https://github.com/advisories/GHSA-hgqp-3mmf-7h8f)
For authorized security testing and CTF use only.