Friday, May 9, 2025
HomeCVE/vulnerability15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

15-Year-Old Python Bug Let Hacker Execute Code in 350k Python Projects

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at Trellix have recently identified a 15-year-old Python bug that has been found to potentially impact 350,000 open-source repositories. There is a possibility that this bug could lead to the execution of code.

This 15-year-old Python bug was disclosed in 2007 and has been tracked as CVE-2007-4559. Despite this, no patch was provided to mitigate the security issue. It was only mitigated by an update to the documentation that alerted developers to the risks.

Several industry verticals are represented by the open source repositories, including:-

- Advertisement - Google News
  • Software development
  • Artificial intelligence
  • Machine learning
  • Web development
  • Media
  • Security
  • IT management

The tarfile module is affected by this security flaw, which was rated 6.8 by CVSS.

Tarfile Flaw

A tar file is composed of several files that are bundled together with metadata and other information about the files. In order to unarchive the tar file in the future, it is necessary to use this metadata.

A tar archive contains a variety of metadata containing information that can range from the following:- 

  • File name
  • File size 
  • Checksum of the file
  • File owner information

This information is represented in the Python tarfile module by a class called TarInfo, which represents this information. A tar archive generates this information for each member. 

Several different types of structures can be represented using these members in a filesystem, including:-

  • Directories
  • Symbolic links
  • Files

There is an explicit trust in the information contained within the TarInfo object within the code. This is followed by joining the path that was passed to the extract function with the current path.

Tarfile Exploit

This vulnerability can be exploited by an attacker if they add “..” with the separator for their operating system (“/” or “\”) into the filename. 

So they can escape the directory where the file is supposed to be extracted to take advantage of this vulnerability. The tarfile module in Python allows us to do precisely this:-

A filter can be added to the tarfile module to manipulate the metadata of a file before it is included in the archive. By using as little as six lines of code, attackers are able to create their exploits.

A researcher from Trellix rediscovered CVE-2007-4559 earlier this year during the investigation of a different security vulnerability.

In this case, an attacker could gain access to the file system via a directory traversal vulnerability caused by the failure of the tarfile.extract() and tarfile.extractall() functions to sanitize their members’ files.

Over 350,000 Projects Affected

The researchers developed a crawler that allowed them to identify 257 repositories that most likely contained the vulnerable code through the use of this crawler. 

These repositories were examined in 175 instances to determine if one of them contained it. As a result, it turned out that 61% of them were susceptible to attacks.

Based on the small sample set, an estimation of all impacted repositories on GitHub was derived from the sample set by using it as a baseline.

Trellix affirmed that the number of vulnerable repositories in their repository exceeds 350,000 based upon the 61% vulnerability rate that is manually verified. They are frequently used by machine learning tools that facilitate the development of faster and more accurate projects for developers.

For the provision of auto-complete options, these tools use code from hundreds of thousands of repositories in order to do so. The developer would not be aware that an issue has been propagated to other processes when they provide insecure code.

Trellix further developed a custom tool, Creosote, which enables users to check whether a project is vulnerable to CVE-2007-4559, as well as other vulnerabilities.

Spyder IDE as well as Polemarch were found to have a vulnerability that could be exploited by using it. However, over 11,000 projects have been patched by Trellix. 

It is expected that more than 70,000 projects are going to be fixed in the next few weeks because of the large number of project repositories affected by the bug.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI)...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual...

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...