Impact
In Python’s tarfile module, a bug in streaming mode (mode="r|") causes the EOF to be handled incorrectly, making archive parsing continue for an exponentially long period. When a tarfile is processed in this mode, the module fails to stop at the actual end of the archive, leading to excessive CPU utilization and an infinite loop (CWE-835) that persists until system resources are exhausted or a timeout occurs. The impact is a denial of service on the process or the host.
Affected Systems
Python Software Foundation CPython instances that use the tarfile module in streaming mode and are running a version released prior to the issued fix. The specific version is not enumerated in the advisory, but any CPython install where the bug exists until the patch is applied is affected.
Risk and Exploitability
The CVSS score of 8.2 indicates high severity. The flaw can be triggered by supplying a crafted tar archive that the application reads with tarfile in streaming mode, and it is not listed in CISA’s KEV catalog. Attackers can induce a denial of service by feeding a malformed archive from any source that the vulnerable process ingests, potentially remotely if the process accepts user‑supplied archives over a network. The EPSS score of < 1% indicates a very low but non‑zero probability that the vulnerability will be actively exploited in the wild.
OpenCVE Enrichment