Skip to Content

15-Year-Old Python tarfile vulnerability

[Updated on 23 September 2022]

Although CVE-2007-4559 only has a minor 6.8 CVSS rating, this Python vulnerability is expected to affected up to 350,000 different Python-based projects if they go unpatched. Somehow, this vulnerability went unpatched for 15 years, so the backlog could be quite extensive.

[Updated on 22 September 2022] 15-Year-Old Python Flaw Remains Unpatched

Analysts from Trellix found a 15-year-old vulnerability in Python while plumbing “an enterprise product for zero-day vulnerabilities.” The path traversal vulnerability affects the tarfile module and can be exploited to overwrite files. The issue is estimated to affect an estimated 350,000+ open-source repositories. The vulnerability was first disclosed in 2007 and is identified as CVE-2007-4559, but it was never patched. Python did include a warning in the documentation.


  • The vulnerability is very typical for software that blindly unpacks compressed directory structures. In some ways, the “fix” done by the package maintainers to warn developers not to unpack untrusted files, is appropriate, but I am sure there are many developers who will overlook this note. Hard to tell if the number of affected projects is realistic as it appears to be more of an eyeball estimate.
  • The developer of the tar module put a note in the documentation advising what not to do, which means the code can still be abused. Trellis has built a free tool, Creosote, which scans for this vulnerability. Additionally, Trellix is publishing fixes to projects, forking them and issuing a pull request. If your project is provided fixed code, examine it carefully to ensure it still meets your expectations.
  • If vulnerability exists in the forest but no one wanders by, is the forest really vulnerable? A resounding “Yes!” An attacker will surely wander by sooner or later – luckily, in this case a security researcher was the first wandering explorer. Points out the need for community investment in exhaustive testing of public libraries and the open source software supply chain – at least to the level of detecting unpatched CVEs.
  • The promise of Open Source that “many eyes” would improve code quality has proved to be ephemeral. That is not likely to change until we hold developers accountable for the quality of all the code in their products, regardless of its source. Given our tolerance for poor quality in general, one is not hopeful.



But if you were preparing to make an “if you use jQuery then you deserve it” joke, don’t! Because stuff like this is everywhere, including in Python. According to a recent report published by the Trellix team, CVE-2007-4559, a vulnerability in the Python tarfile module is still impacting more than 350,000 software projects even today. Patching disasters like these are in every programming language. It’s that people haven’t been looking close enough.


    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.