There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
Conclusion & alert: CVE-2025-8194 is rated Moderate Risk (44.7/100): CVSS High severity, with low exploitation likelihood (EPSS 0.59%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.01% | 0.59% | -0.42% |
| 2 | 2026-05-24 | 0.26% | 1.01% | +0.75% |
| 3 | 2026-04-23 | — | 0.26% | — |
Full EPSS history (9 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
end-of-life | CVE-2025-8194 end-of-life priority: Debian including 5 source packages (pypy3, python2.7, python3.11, python3.13, python3.9), 11 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 7, open 4. | https://security-tracker.debian.org/tracker/CVE-2025-8194 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2025-8194 |
suse
|
medium | CVE-2025-8194 severity moderate: SUSE including 683 source package names (0.0.17-1.1:libpython3_11-1_0-3.11.13-150600.3.35.1, 0.0.17-1.1:libpython3_6m1_0-3.6.15-150300.10.97.1, …), 2522 product×package rows across 398 product lines (Container bci/kiwi, Container bci/spack, … (398 product lines)): Fixed 2282, Known Affected 226, First Fixed 14. | https://www.suse.com/security/cve/CVE-2025-8194/ |
ubuntu
|
medium | CVE-2025-8194 medium priority: Ubuntu including 12 source packages (python2.7, python3.10, …), 72 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 41, released 20, needs-triage 10, not-affected 1. | https://ubuntu.com/security/CVE-2025-8194 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||