This ancient unpatched Python security flaw could leave thousands of projects vulnerable TechRadar Skip to main content TechRadar is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Here's why you can trust us. This ancient unpatched Python security flaw could leave thousands of projects vulnerable By Sead Fadilpašić published 22 September 2022 15-year-old unpatched Python flaw has resurfaced (Image credit: Elchinator from Pixabay ) Audio player loading… A rather old unpatched Python security vulnerability has resurfaced, causing researchers to warn that hundreds of thousands of projects might be vulnerable to code execution. Cybersecurity researchers from Trellix have recently spotted (opens in new tab) CVE-2007-4559, a flaw in the Python tarfile package, first discovered back in 2007. However, back then, the flaw never received a patch, but rather just a warning published in a security bulletin. Identifying vulnerable projects The vulnerability is in code that uses un-sanitized tarfile.extract() function, or the built-in defaults of tarfileextractall(). "It's a path traversal bug that enables an attacker to overwrite arbitrary files," the publication wrote. Now, researchers are saying, the flaw gives a bad actor access to the file system. Python's bug tracker was updated with an announcement of a closed issue, with a further addition that "it might be dangerous to extract archives from untrusted sources." The flaw is abusable both on Windows, and on Linux, it was said. Fifteen years is a long time, and apparently, some 350,000 projects might be vulnerable. Trellix's researchers first took a sample of 257 repositories(61%) were vulnerable. An automated analysis came back with a 65% positive rate. Read more> Check out the best endpoint protection tools right now (opens in new tab) > Python is about to solve one of its most frustrating issues > Python programming libraries found hiding security threats Then, together with GitHub, Trellix's researchers found 588,840 unique repositories that include "import tarfile" in its Python code, which drew them to the conclusion that 350,000 (or roughly 61%), might be vulnerable. The problem is present in a "vast number" of industries, the researchers further found. The development (opens in new tab) sector is, unsurprisingly, the most impacted one, followed by web and machine learning technology. Trellix's researchers issued fixes for some 11,000 projects, available as a fork of the affected repository. These patches will be added to the main project via pull request at a later date, it was added. Another 70,000 projects should get their fixes within a couple of weeks, but for all to be remedied, it's going to take a little while.Here's our rundown of the best firewalls (opens in new tab) around Sead Fadilpašić Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he's written for numerous media outlets, including Al Jazeera Balkans. He's also held several modules on content writing for Represent Communications. See more Computing news Are you a pro? Subscribe to our newsletter Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Thank you for signing up to TechRadar. You will receive a verification email shortly. There was a problem. Please refresh the page and try again. MOST POPULARMOST SHARED1The iPhone 14 Pro is made of the wrong stuff; the Pixel 7 proves that to me2Stop saying Mario doesn't have an accent in The Super Mario Bros. Movie3Google Pixel Tablet is what Apple should've done ages ago4RTX 4090 too expensive? Nvidia resurrects another old favorite5Blizzard made me explain Overwatch 2 smurfing to my mum for nothing1Logitech's latest webcam and headset want to relieve your work day frustrations2Best offers on Laptops for Education – this festive season3Apple October launches: the new devices we might see this month4Google's AI editing tricks are making Photoshop irrelevant for most people5Best laptops for designers and coders Technology Magazines (opens in new tab)● (opens in new tab)The best tech tutorials and in-depth reviewsFrom$12.99 (opens in new tab)View (opens in new tab)