## https://sploitus.com/exploit?id=FA5A964C-EDC2-5AC8-AEBF-4F9B3C061DE8
# CVE-2025-4517-poc
Here is the updated script as a Proof-of-Concept (PoC) for CVE-2025-4517 โ a critical vulnerability (CVSS 9.4) in Python's tarfile module.
CVE-2025-4517 allows arbitrary filesystem writes outside the extraction directory during extraction when using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar".
This affects:
Python 3.12+ when explicitly using filter="data" or filter="tar"
Python 3.14+ when relying on the new default filter="data" (changed from no filtering)
The PoC uses repeated long directory names + symlinks to bypass path normalization / realpath checks in the "data" filter, enabling path traversal to write files (here: overwrite /etc/sudoers) outside the intended extraction path.
Tips & Variants (2026 CTFs / real-world testing)
If hard links (LNKTYPE) are blocked โ change to SYMTYPE in the sudoers_link step
Adjust traversal depth (+1, +3, etc.) if the exact number of ../ needed changes
Targets: /etc/sudoers, /root/.ssh/authorized_keys, /etc/crontab, /etc/shadow, etc.
Long dir name: try 'A'*220, '0'*230 or '_'*200 if filters block repeated d
Smaller tar: gzip -9 evil_backup_cve_2025_4517.tar โ upload .tar.gz
Use responsibly โ this is for authorized security research / CTF / red-team only.