CVE-2025-8291
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
07/10/2025
Última modificación:
29/10/2025
Descripción
*** Pendiente de traducción *** The &#39;zipfile&#39; module would not check the validity of the ZIP64 End of<br />
Central Directory (EOCD) Locator record offset value would not be used to<br />
locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be<br />
assumed to be the previous record in the ZIP archive. This could be abused<br />
to create ZIP archives that are handled differently by the &#39;zipfile&#39; module<br />
compared to other ZIP implementations.<br />
<br />
<br />
Remediation maintains this behavior, but checks that the offset specified<br />
in the ZIP64 EOCD Locator record matches the expected value.
Impacto
Puntuación base 3.x
4.30
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267
- https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46
- https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6
- https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196
- https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4
- https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388
- https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3
- https://github.com/python/cpython/issues/139700
- https://github.com/python/cpython/pull/139702
- https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/
- https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p
- https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json