aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

[v2] Update Python interpreter to address CVE-2025-8291 in zipfile used by AWS CLI v2

Open shreyasprabhakar-boop opened this issue 2 months ago • 4 comments

Vulnerability in Python zipfile module (ZIP64 EOCD offset validation)

Description / Context

The Python zipfile module (versions ≤ 3.13.7) does not validate the ZIP64 End of Central Directory (EOCD) Locator offset correctly. Specifically:

  • The module assumes the previous record is the ZIP64 EOCD record instead of checking the offset specified in the EOCD Locator.
  • This can lead to ZIP archives being interpreted differently than other ZIP implementations.
  • Potential risks include:
    • Unexpected behavior when extracting ZIP files
    • Possible file overwrites
    • Security issues in applications relying on zipfile for ZIP processing

Reference:

  • Python changelog: updating from 3.13.7 → 3.14.1 fixes this by validating the EOCD offset.

Labels

security docker python dependency

Use Case

Impact on our project / Docker images

  • Our Docker images currently install Python 3.x from Amazon Linux 2023 repositories.
  • The zipfile module included in these images is vulnerable if the Python version is ≤3.13.7.
  • If Python is required in the image, it must be upgraded to ≥3.14.1.
  • If Python is not required, it’s safer to remove it entirely, reducing attack surface.

Proposed Solution

Recommended Actions

  1. Upgrade Python to version ≥3.14.1 in Docker images.
  2. Rebuild Docker images using the latest OS base image.
  3. If Python is not required, remove it from the image entirely.

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CLI version used

2.31.13

Environment details (OS name and version, etc.)

Ubuntu

shreyasprabhakar-boop avatar Oct 13 '25 11:10 shreyasprabhakar-boop

Thanks for reaching out. Our team is taking a look at this, and I'll let you know when we have any updates.

Ticket # for internal use : D322688316

RyanFitzSimmonsAK avatar Oct 14 '25 19:10 RyanFitzSimmonsAK

Thanks for your patience. According to https://github.com/python/cpython/issues/139700#issuecomment-3415349676, Python v3.13.10 will include a fix for this. We don't have plans to move the AWS CLI v2 installers to Python 3.14 at this time, but we'll upgrade to v3.13.10 when it's available.

RyanFitzSimmonsAK avatar Oct 17 '25 20:10 RyanFitzSimmonsAK

Any update on this issue?

shreyasprabhakar-boop avatar Nov 02 '25 16:11 shreyasprabhakar-boop

Any update on this issue?

Not yet, Python v3.13.10 hasn't released yet. We recently upgraded to v3.13.9, but that doesn't contain the fix for this issue.

RyanFitzSimmonsAK avatar Nov 03 '25 20:11 RyanFitzSimmonsAK

We modified this Issue to be focused on addressing the CVE detection, rather than on supporting Python 3.14.

The bundled Python interpreter has been upgraded to version 3.13.11 in AWS CLI version 2.32.15, which should resolve the CVE being detected by scanners.

To track Python 3.14 support, see https://github.com/aws/aws-cli/issues/9914.

aemous avatar Dec 11 '25 21:12 aemous

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Dec 11 '25 21:12 github-actions[bot]