How a 15-Year-Old Python Tarfile Flaw Still Threatens 350k Open-Source Projects

Background

Security company Trellix, formed from the merger of FireEye and McAfee Enterprise, issued a warning that the Python standard library’s tarfile module contains a long‑standing vulnerability (CVE‑2007‑4559) first discovered fifteen years ago.

Originally rated a 6.8 directory‑traversal issue, the flaw was never fully patched. Researchers now show it can be leveraged to execute arbitrary programs, potentially affecting more than 350,000 open‑source projects.

Scope of Impact

Because tarfile is built‑in, the vulnerability is present in any Python‑based framework, from Netflix, AWS, Intel, Google to Meta, and spans domains such as artificial intelligence/machine learning, containerization, automation, web development, media, security, and IT management.

Attackers need only upload a malicious tar archive generated with a few lines of code. The exploit works by using the extract or extractall functions, inserting ".." sequences in file names to perform path traversal and overwrite arbitrary files, leading to code execution and full control of the target system.

Mitigation Advice

The Python documentation already advises never to extract archives from untrusted sources without validation, as filenames may contain absolute paths or ".." sequences that escape the intended directory.

Research Findings

While investigating another vulnerability, Trellix researchers unintentionally rediscovered CVE‑2007‑4559, realizing it had been largely ignored despite its severity. The team successfully exploited the flaw in the Spyder IDE and the Polemarch tool.

To gauge prevalence, researchers selected 257 repositories most likely to contain the flaw; 175 (61%) were confirmed vulnerable. Considering that GitHub hosts roughly 588,840 Python projects that use tarfile, the 61% rate suggests over 350,000 projects may be at risk.

Detection Tool

Trellix developed a Python script named Creosote (available at GitHub ) to scan for CVE‑2007‑4559. The tool supports Python 3.9+ and runs on Windows, Linux, and macOS.

References

https://thehackernews.com/2022/09/15-year-old-unpatched-python.html

https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html