Python zipfile ZIP64 EOCD Locator offset validation flaw
CVE-2025-8291 Published on October 7, 2025
ZIP64 End of Central Directory (EOCD) Locator record offset not checked
The 'zipfile' module would not check the validity of the ZIP64 End of
Central Directory (EOCD) Locator record offset value would not be used to
locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be
assumed to be the previous record in the ZIP archive. This could be abused
to create ZIP archives that are handled differently by the 'zipfile' module
compared to other ZIP implementations.
Remediation maintains this behavior, but checks that the offset specified
in the ZIP64 EOCD Locator record matches the expected value.
Vulnerability Analysis
CVE-2025-8291 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-8291. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improper Validation of Specified Index, Position, or Offset in Input
The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.
Products Associated with CVE-2025-8291
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-8291 are published in these products:
Affected Versions
Python Software Foundation CPython:- Before 3.9.24 is affected.
- Version 3.10.0 and below 3.10.19 is affected.
- Version 3.11.0 and below 3.11.14 is affected.
- Version 3.12.0 and below 3.12.12 is affected.
- Version 3.13.0 and below 3.13.10 is affected.
- Version 3.14.0 and below 3.14.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.