Infinite loop in tarfile module while opening a crafted file


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Infinite loop in tarfile module while opening a crafted TAR archive in the PAX format with a length of zero.

Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).


  • Disclosure date: 2019-12-10 (Python issue bpo-39017 reported)

Fixed In

Python issue

[CVE-2019-20907] Infinite loop in the tarfile module.

  • Python issue: bpo-39017
  • Creation date: 2019-12-10
  • Reporter: jvoisin


In Lib/ in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by, because _proc_pax lacks header validation.


Timeline using the disclosure date 2019-12-10 as reference: