CVE-2025-4138
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
8.0
Description
RHSA-2025:23530: python39:3.9 security update (Important)
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata โ Red Hat Inc. ยท View original โ ยท Open-Errata-API
Description cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory Red Hat statement Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language. CVSS v3: 7.5โฆ
Description
cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
Red Hat statement
Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | python3.12-0:3.12.9-2.el10_0.2 | RHSA-2025:10140 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 8 | python3.11-0:3.11.13-1.el8_10 | RHSA-2025:10026 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 8 | python3.12-0:3.12.11-1.el8_10 | RHSA-2025:10031 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 8 | python3-0:3.6.8-70.el8_10 | RHSA-2025:10128 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 8 | python39:3.9-8100020251126112422.d47b87a4 | RHSA-2025:23530 | 2025-12-18T00:00:00Z |
| Red Hat Enterprise Linux 8 | python39-devel:3.9-8100020251126112422.d47b87a4 | RHSA-2025:23530 | 2025-12-18T00:00:00Z |
| Red Hat Enterprise Linux 8 | python39:3.9-8100020251126112422.d47b87a4 | RHSA-2025:23530 | 2025-12-18T00:00:00Z |
| Red Hat Enterprise Linux 8 | python39-devel:3.9-8100020251126112422.d47b87a4 | RHSA-2025:23530 | 2025-12-18T00:00:00Z |
| Red Hat Enterprise Linux 8 | python3-0:3.6.8-70.el8_10 | RHSA-2025:10128 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | python3-0:3.6.8-47.el8_6.8 | RHSA-2025:10484 | 2025-07-07T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On | python3-0:3.6.8-47.el8_6.8 | RHSA-2025:10484 | 2025-07-07T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | python3-0:3.6.8-47.el8_6.8 | RHSA-2025:10484 | 2025-07-07T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | python3-0:3.6.8-47.el8_6.8 | RHSA-2025:10484 | 2025-07-07T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support Long-Life Add-On | python3-0:3.6.8-51.el8_8.10 | RHSA-2025:10602 | 2025-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | python3-0:3.6.8-51.el8_8.10 | RHSA-2025:10602 | 2025-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | python3-0:3.6.8-51.el8_8.10 | RHSA-2025:10602 | 2025-07-08T00:00:00Z |
| Red Hat Enterprise Linux 9 | python3.9-0:3.9.21-2.el9_6.1 | RHSA-2025:10136 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 9 | python3.11-0:3.11.11-2.el9_6.1 | RHSA-2025:10148 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 9 | python3.12-0:3.12.9-1.el9_6.1 | RHSA-2025:10189 | 2025-07-02T00:00:00Z |
| Red Hat Enterprise Linux 9 | python3.9-0:3.9.21-2.el9_6.1 | RHSA-2025:10136 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | python3.12-0:3.12.1-4.el9_4.6 | RHSA-2025:10028 | 2025-07-01T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | python3.9-0:3.9.18-3.el9_4.8 | RHSA-2025:10399 | 2025-07-07T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | python3.11-0:3.11.7-1.el9_4.8 | RHSA-2025:9918 | 2025-06-30T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-businesscentral-monitoring-rhel8:7.13.5-4.1752066672 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-businesscentral-rhel8:7.13.5-4.1752065732 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-controller-rhel8:7.13.5-4.1752065732 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-dashbuilder-rhel8:7.13.5-3.1752065737 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-kieserver-rhel8:7.13.5-4.1752065731 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-operator-bundle:7.13.5-25 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-process-migration-rhel8:7.13.5-4.1752065736 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-rhel8-operator:7.13.5-2.1752065733 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHEL-8 based Middleware Containers | rhpam-7/rhpam-smartrouter-rhel8:7.13.5-4.1752065755 | RHSA-2025:11386 | 2025-07-17T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.36.0-11 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-data-index-postgresql-rhel8:1.36.0-11 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-db-migrator-tool-rhel8:1.36.0-11 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.36.0-10 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.36.0-10 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.36.0-4 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-management-console-rhel8:1.36.0-9 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-rhel8-operator:1.36.0-18 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-swf-builder-rhel8:1.36.0-11 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| RHOSS-1.36-RHEL-8 | openshift-serverless-1/logic-swf-devmode-rhel8:1.36.0-7 | RHSA-2026:0934 | 2026-01-22T00:00:00Z |
| cert-manager operator for Red Hat OpenShift 1.16 | cert-manager/jetstack-cert-manager-rhel9:v1.16.5-1760515757 | RHSA-2025:18219 | 2025-10-16T00:00:00Z |
| Red Hat Discovery 2 | discovery/discovery-server-rhel9:2.0.1-1754478727 | RHSA-2025:13267 | 2025-08-06T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected |
| Red Hat OpenShift Container Platform 4 | rhcos | Not affected |
Apply commands
Apply RHSA-2025:10140 for Red Hat Enterprise Linux 10
yum update -y python3
# or:
dnf upgrade -y python3Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 8 | Not affected |
| redhat | Red Hat OpenShift Container Platform 4 | Not affected |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rocky | 8 | fixed | |
| rhel | 9 | fixed | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
| sles | affected | | |
| rocky | 9 | fixed | |
| almalinux | 9 | fixed | python-unversioned-command-3.9.21-2.el9_6.1.noarch.rpm |
| rhel | 8 | fixed | |
References
- https://errata.rockylinux.org/RLSA-2025:23530
- https://access.redhat.com/errata/RHSA-2025:10136
- https://access.redhat.com/errata/RHSA-2025:10148
- https://access.redhat.com/errata/RHSA-2025:10189
- https://errata.rockylinux.org/RLSA-2025:10026
- https://errata.rockylinux.org/RLSA-2025:10031
- https://security-tracker.debian.org/tracker/CVE-2025-4138
- https://www.suse.com/security/cve/CVE-2025-4138.html
- https://errata.rockylinux.org/RLSA-2025:10189
- https://access.redhat.com/errata/RHSA-2025:10026
- https://bugzilla.redhat.com/2370010
- https://bugzilla.redhat.com/2370013
- https://bugzilla.redhat.com/2370014
- https://bugzilla.redhat.com/2370016
- https://bugzilla.redhat.com/2372426
- https://errata.almalinux.org/8/ALSA-2025-10026.html
- https://access.redhat.com/errata/RHSA-2025:10031
- https://errata.almalinux.org/8/ALSA-2025-10031.html
- https://access.redhat.com/errata/RHSA-2025:10128
- https://errata.almalinux.org/8/ALSA-2025-10128.html
- https://errata.almalinux.org/9/ALSA-2025-10136.html
- https://errata.almalinux.org/9/ALSA-2025-10148.html
- https://errata.almalinux.org/9/ALSA-2025-10189.html
- https://access.redhat.com/errata/RHSA-2025:23530
- https://bugzilla.redhat.com/2294682
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.