Description
The 'zipfile' module would not check the validity of the ZIP64 End of
Central Directory (EOCD) Locator record offset value would not be used to
locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be
assumed to be the previous record in the ZIP archive. This could be abused
to create ZIP archives that are handled differently by the 'zipfile' module
compared to other ZIP implementations.


Remediation maintains this behavior, but checks that the offset specified
in the ZIP64 EOCD Locator record matches the expected value.
Published: 2025-10-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Compatibility and logic discrepancy via ZIP64 offset misinterpretation
Action: Apply Patch
AI Analysis

Impact

The zipfile module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value. Instead of using the offset to locate the ZIP64 EOCD record, the module assumed it was the previous record in the ZIP archive. This flaw can be abused to create ZIP archives that the CPython zipfile module interprets differently from other ZIP implementations. The resulting inconsistency may affect how applications process or rely on ZIP content, but it does not grant direct code execution.

Affected Systems

This issue affects all Python Software Foundation CPython releases that use the standard zipfile module prior to the patch being merged, spanning every major CPython version that includes zipfile before the latest updates. The bug was introduced by commits in the CPython repository and is addressed in subsequent releases that include the validation of the EOCD Locator offset.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of less than 1% implies a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be local or remote, depending on whether an attacker can supply ZIP archives to a Python application. Though no direct gain of system resources is provided, the inconsistency could be leveraged in combination with other logic flaws if an attacker controls the input ZIP data.

Generated by OpenCVE AI on April 22, 2026 at 12:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest CPython release that contains the zipfile EOCD offset validation patch.
  • If a patch cannot be applied immediately, disable ZIP64 support when processing untrusted archives or limit extraction to a sandboxed process with minimal privileges.
  • Add application‑level checks for ZIP64 EOCD Locator offsets or otherwise enforce strict validation before extracting ZIP files.

Generated by OpenCVE AI on April 22, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4354-1 pypy3 security update
Debian DLA Debian DLA DLA-4445-1 python3.9 security update
Ubuntu USN Ubuntu USN USN-7886-1 Python vulnerabilities
Ubuntu USN Ubuntu USN USN-7886-2 Python vulnerabilities
History

Wed, 29 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
References

Wed, 15 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285

Fri, 10 Oct 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 09 Oct 2025 18:45:00 +0000

Type Values Removed Values Added
References

Wed, 08 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 07 Oct 2025 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Description The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.
Title ZIP64 End of Central Directory (EOCD) Locator record offset not checked
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-21T20:17:51.842Z

Reserved: 2025-07-28T21:05:06.237Z

Link: CVE-2025-8291

cve-icon Vulnrichment

Updated: 2025-10-08T18:41:10.269Z

cve-icon NVD

Status : Deferred

Published: 2025-10-07T18:16:00.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8291

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-10-07T18:10:05Z

Links: CVE-2025-8291 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses