AI description
CVE-2025-62518, also known as "TARmageddon," is a boundary parsing vulnerability found in the astral-tokio-tar library, a Rust library used for reading and writing tar archives asynchronously. This vulnerability stems from inconsistent handling of PAX and ustar headers when processing archives with PAX-extended headers that include size overrides. The parser incorrectly calculates the stream position based on the ustar header size (often zero) instead of the size specified in the PAX header. This discrepancy allows attackers to "smuggle" additional archive entries into TAR extractions. By exploiting this flaw, attackers can overwrite files, potentially leading to remote code execution. This vulnerability affects multiple projects that rely on the async-tar library and its forks, such as tokio-tar, uv (Astral's Python package manager), testcontainers, and wasmCloud. It is recommended to update to version 0.5.6 or later of astral-tokio-tar to mitigate this vulnerability.
- Description
- astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-843
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
19
🚨 'TARmageddon' flaw (CVE-2025-62518) in async-tar Rust library & forks allows RCE. High-severity warning for developers! https://t.co/gJPBDsAfMy #RustLang #Cybersecurity #RCE #Vulnerability #TARmageddon
@0xT3chn0m4nc3r
22 Oct 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 كشف باحثو الأمن السيبراني عن ثغرة خطيرة في مكتبة async-tar بلغة Rust، قد تؤدي إلى تنفيذ رموز عن بُعد. تم تصنيف الثغرة برمز CVE-2025-62518، وسجلها 8.1، وأطلق عليها اسم T
@Cybercachear
22 Oct 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A tiny Rust bug just broke thousands of builds. It’s called TARmageddon (CVE-2025-62518) — a flaw in the async-tar library that lets attackers slip hidden files inside nested TAR archives. Unpatched since 2023, developers are now racing to fix it ↓ https://t.co/h1VeKfz2Mg
@TheHackersNews
22 Oct 2025
10045 Impressions
19 Retweets
38 Likes
8 Bookmarks
0 Replies
4 Quotes
Rust Library Flaw Exposes Systems to Remote Code Execution Edera researchers disclosed a high-severity CVE-2025-62518 vulnerability (CVSS 8.1) in an abandoned Rust async tar library affecting many forks, including tokio-tar with 5M+ downloads. Exploitation could enable remote ht
@Secwiserapp
21 Oct 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**CVE-2025-62518** pertains to a boundary parsing flaw in the `astral-tokio-tar` library, a Rust-based asynchronous tar archive processing library. Specifically, the vulnerability exists in versions prior to 0.5.6 and involves improper handling of archive headers, especially when
@CveTodo
21 Oct 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-62518 astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that al… https://t.co/mYAi9BvWqa
@CVEnew
21 Oct 2025
206 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes