I'm looking for guidance on how to deal with CVE-2024-12718, which has been rated as critical with a CVSS score of 10 by Microsoft Defender. Management has raised concerns, but I'm unsure if Python version 3.14.2 is already patched or if I need to apply a manual fix. If a manual patch is necessary, could someone walk me through the installation process? Most instances I've seen of this vulnerability come up on Windows PCs, where Python might be used for light development or Arduino projects. While I doubt anyone regularly extracts tarfiles, I suspect some scripts or updates might use this functionality without the user knowing.
I installed Python following a specific guide with commands like:
winget install 9NQ7512CXL7T
py install
py -3.14-64
cd c:python
py -3.14 -m venv .venv
Any advice would be appreciated!
3 Answers
A simple workaround until a patch is available is to just remove the `tarfile` module entirely. It’s easier than dealing with complex fixes, and might keep you safer for now.
It seems like there's some confusion with the CVSS scoring. While Microsoft Defender might have it listed as a 10, many sources are reporting it as a 5.3, which is considered medium-low risk. Have you actually used the `tar.extract` function with any untrusted data? That would be a key point to consider.
It's showing up as a 10 in Defender, which is a big deal for management. I haven't done much with code, mostly just dabbled in Django. I don't think I’ve ever extracted a tarfile directly, but maybe some scripts do that without me realizing it? There was a recent vulnerability noted in an art software that's supposedly not opening tarfiles, yet we still need to address it.
From what I've read, this issue seems to be fixed in Python version 3.15, but that version isn't out yet for normal use. If you're in urgent need of a solution, you could use an alpha build of 3.15 for now if you're comfortable with that.
I’ve never really interacted with the tarfile module, but I know one of the vulnerabilities came up in an art application which doesn’t seem like it would open tarfiles.
I didn’t know removing it was an option! I was worried because of the registry key for pymanager that was linked to the vulnerability. I uninstalled that but it seemed a bit unclear.