AIKIDO-2025-10526
synapse is vulnerable to Infinite Loop
75
High Risk
This Affects:
synapseTL;DR
A defect in the CPython tarfile module affects the TarFile extraction and entry enumeration APIs. Specifically, the implementation fails to properly handle tar archives containing entries with negative offsets, allowing maliciously crafted archives to trigger an infinite loop and cause the application to hang or deadlock during parsing. This behavior can lead to denial of service in affected systems. The patched version resolves the issue by introducing safeguards that detect and prevent processing of such invalid tar entries.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
synapse is vulnerable to Infinite Loop in versions 2.0.0 - 2.217.0.
How to fix this
Upgrade the synapse library to the patch version.
Links
GitHub Release
Fix Commits
github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cbgithub.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29fgithub.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fegithub.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227Other
gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/openwall.com/lists/oss-security/2025/07/28/1openwall.com/lists/oss-security/2025/07/28/2
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant