MGASA-2025-0280

Advisory lineage Upstream: 10 Downstream: 0
Published: 12 Nov 2025, 21:29
Last modified:16 Apr 2026, 04:20

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Nov 2025, 21:29
Published
Vulnerability first disclosed
16 Apr 2026, 04:20
Last Modified
Vulnerability information updated

Description

Updated python3 packages fix security vulnerabilities URL parser allowed square brackets in domain names. (CVE-2025-0938) Mishandling of comma during folding and unicode-encoding of email headers. (CVE-2025-1795) Virtual environment (venv) activation scripts don't quote paths. (CVE-2024-9287) Use-after-free in "unicode_escape" decoder with error handler. (CVE-2025-4516) Bypass extraction filter to modify file metadata outside extraction directory. (CVE-2024-12718) Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory. (CVE-2025-4138) Extraction filter bypass for linking outside extraction directory. (CVE-2025-4330) Tarfile extracts filtered members when errorlevel=0. (CVE-2025-4435) Arbitrary writes via tarfile realpath overflow. (CVE-2025-4517) Tarfile infinite loop during parsing with negative member offset. (CVE-2025-8194)

Affected Systems

  • mageiapython3

    < 3.10.18-1.4.mga9

References (10)