Python < 3.12.2 — Path Traversal
Python's zipimport module is vulnerable to path traversal when importing from maliciously crafted ZIP archives. Update to Python 3.12.2 / 3.11.8 / 3.10.14 — relevant to any server running untrusted Python packages.
An attacker who can influence which ZIP files are imported (e.g., via a compromised package source, a shared package directory, or a file upload feature) can overwrite arbitrary files on the server with the permissions of the Python process. This can escalate to code execution if system or configuration files are overwritten.
Python's zipimport module, used to import Python packages from ZIP archives, does not properly validate file paths within the archive. A maliciously crafted ZIP file can escape the intended extraction directory via path traversal (using sequences like ../), potentially overwriting files outside the expected location.
Probably yes if any of these apply:
Affected OS versions
A CI/CD pipeline downloads and installs Python packages from an internal PyPI mirror. An attacker who compromises the internal mirror can upload a malicious package with a crafted ZIP that overwrites configuration files during installation, achieving arbitrary file write on every build server that installs the package.
Manual remediation steps
⏱ 15 minutesCheck Python Version
python --version 2>&1
python3 --version 2>&1
# Find all Python installations
Get-Command python* | Select-Object Source, Version
Update Python
# Via winget:
winget upgrade Python.Python.3.12
winget upgrade Python.Python.3.11
winget upgrade Python.Python.3.10
# Or download the Windows installer from https://www.python.org/downloads/
Verify
python --version
# Must show 3.12.2+ / 3.11.8+ / 3.10.14+ / 3.9.19+
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References