CVE-2025-62518
Published Oct 21, 2025
Last updated 2 months ago
AI description
CVE-2025-62518, also known as "TARmageddon," is a boundary parsing vulnerability found in the astral-tokio-tar library, a Rust library used for reading and writing tar archives asynchronously. This vulnerability stems from inconsistent handling of PAX and ustar headers when processing archives with PAX-extended headers that include size overrides. The parser incorrectly calculates the stream position based on the ustar header size (often zero) instead of the size specified in the PAX header. This discrepancy allows attackers to "smuggle" additional archive entries into TAR extractions. By exploiting this flaw, attackers can overwrite files, potentially leading to remote code execution. This vulnerability affects multiple projects that rely on the async-tar library and its forks, such as tokio-tar, uv (Astral's Python package manager), testcontainers, and wasmCloud. It is recommended to update to version 0.5.6 or later of astral-tokio-tar to mitigate this vulnerability.
- Description
- astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-843
- Hype score
- Not currently trending
🪤 TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of Open Source Abandonware 「 Due to the widespread nature of tokio-tar in various forms, it is not possible to truly quantify upfront the blast radius of this bug across the ecosystem 」
@jbzfn
12 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Cloud & Cybersecurity Weekly: AWS launches RTB Fabric for ad-tech, but a DNS outage hit Alexa & Fortnite. Critical Rust flaws (CVE-2025-62518) & TP-Link router bugs need urgent patches. CISOs: AI speeds attacks—boost resilience now. #Cybersecurity #CloudTech #AWS
@cageyvdev
9 Nov 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛠️ TARmageddon (CVE-2025-62518) A critical boundary-parsing bug, TARmageddon (CVE-2025-62518), in the async-tar Rust library and its forks, including tokio-tar. This vulnerability, with a severity of 8.1 (High), can enable Remote Code Execution (RCE) through file overwrit
@IntCyberDigest
3 Nov 2025
2038 Impressions
5 Retweets
17 Likes
5 Bookmarks
0 Replies
0 Quotes
🚨🔍 **Security Alert!** Edera found a critical bug, TARmageddon (CVE-2025-62518), in async-tar. Risks RCE! 📉 Upgrade or remove dependencies! For tokio-tar, switch to #astral-tokio-tar. Stay safe! 🛡️https://t.co/K6XaAOYpTY✨ #RustLang #SecurityPatch https://t.co/emUY
@ReliableEmbSys
1 Nov 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en Rust ❗CVE-2025-62518 ➡️Más info: https://t.co/chagZYCUOT https://t.co/EjOXWmHPga
@CERTpy
28 Oct 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 **TARmageddon: KERENTANAN KEAMANAN PARAH DI LIBRARY RUST POPULER – SKOR CVSS 8.1!** 🚨 Ancaman baru buat developer Rust! Kerentanan high-profile ini bisa bikin sistem crash total atau eksekusi kode jahat. Disebut TARmageddon (CVE-2025-62518), ditemukan di library populer
@BJORKANISM_REAL
25 Oct 2025
46 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Tarmageddon 🦀(CVE-2025-62518): RCE vulnerability highlights the challenges of open source abandonware https://t.co/GjV7xbDUHL
@jedisct1
25 Oct 2025
879 Impressions
0 Retweets
2 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨TARmageddon: High Profile Security Vulnerability In Popular Rust Library CVE: CVE-2025-62518 CVSS: 8.1 GitHub: https://t.co/kR7MJjO2s4 Write-up: https://t.co/dzwaSoh9xh https://t.co/VGM25CXF3A
@DarkWebInformer
25 Oct 2025
5156 Impressions
5 Retweets
18 Likes
5 Bookmarks
0 Replies
0 Quotes
TARMAGEDDON (CVE-2025-62518): RCE Vulnerability Highlights the challenges of open source abandonware https://t.co/J4PSxQ4e3x
@_r_netsec
24 Oct 2025
2769 Impressions
5 Retweets
14 Likes
6 Bookmarks
0 Replies
1 Quote
Ready for a new Branded Vulnerability™? #TARmageddon (CVE-2025-62518) affects the #Rust ecosystem's may forks of `async-tar`; it's a parsing bug for the .tar file format that allows all kinds of shenanigans: at worst even #RCE (Remote Code Execution). Fortunately for us, it's a
@CheckmarxZero
23 Oct 2025
76 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of Open Source Abandonware https://t.co/C8MfgTuKR0 #appsec
@eyalestrin
23 Oct 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#CVE-2025-62518 is a high-severity remote code execution vulnerability in async-tar Rust library, impacting tools like uv and tokio-tar. Address the issue by auditing and patching dependencies to prevent risks from abandoned open-source code. #CyberSecurity #PatchManagement
@bigmacd16684
23 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Cybersecurity researchers have disclosed details of a high-severity flaw (CVE-2025-62518) impacting the popular async-tar Rust library and its forks. #CyberSecurity #InfoSec https://t.co/ohEe3yFI9N https://t.co/HJbeD4zqdj
@twelvesec
23 Oct 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
TARmageddon – Kritikus biztonsági sérülékenység a népszerű Rust programkönyvtárban Ezen a héten vált nyilvánossá a CVE-2025-62518, közismert nevén TARmageddon, egy súlyos biztonsági sérülékenység a népszerű async-tar Rust könyvtárban és annak forkjaib
@linuxmint_hun
23 Oct 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Edera disclosed the TARmageddon flaw (CVE-2025-62518) in the Rust async-tar library, allowing remote code execution by exploiting mismatched PAX/ustar headers, posing serious supply-chain risks. #Rust #CyberSecurity https://t.co/vunyZ3OTUB
@Cyber_O51NT
23 Oct 2025
193 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
TARmageddon (CVE-2025-62518) was discovered in August 2025 being used in Tar based projects such as testcontainers and wasmCloud. With a CVSS score of 8.1, with the assumption malware can be written to create a RCE to overwrite files, or hijacking build back-ends. By advancing 0
@Leila97726926
22 Oct 2025
44 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 'TARmageddon' flaw (CVE-2025-62518) in async-tar Rust library & forks allows RCE. High-severity warning for developers! https://t.co/gJPBDsAfMy #RustLang #Cybersecurity #RCE #Vulnerability #TARmageddon
@0xT3chn0m4nc3r
22 Oct 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 كشف باحثو الأمن السيبراني عن ثغرة خطيرة في مكتبة async-tar بلغة Rust، قد تؤدي إلى تنفيذ رموز عن بُعد. تم تصنيف الثغرة برمز CVE-2025-62518، وسجلها 8.1، وأطلق عليها اسم T
@Cybercachear
22 Oct 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#snapchatleak #crypto $ #easymoney #purchasesnaphack #explore #Everyone It’s called TARmageddon (CVE-2025-62518) — a flaw in the async-tar library that lets attackers slip hidden files inside nested TAR archives. https://t.co/jG0rH3JmBv
@silentwolf12347
22 Oct 2025
30 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A tiny Rust bug just broke thousands of builds. It’s called TARmageddon (CVE-2025-62518) — a flaw in the async-tar library that lets attackers slip hidden files inside nested TAR archives. Unpatched since 2023, developers are now racing to fix it ↓ https://t.co/h1VeKfz2Mg
@TheHackersNews
22 Oct 2025
10694 Impressions
21 Retweets
43 Likes
8 Bookmarks
0 Replies
4 Quotes
Rust Library Flaw Exposes Systems to Remote Code Execution Edera researchers disclosed a high-severity CVE-2025-62518 vulnerability (CVSS 8.1) in an abandoned Rust async tar library affecting many forks, including tokio-tar with 5M+ downloads. Exploitation could enable remote ht
@Secwiserapp
21 Oct 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**CVE-2025-62518** pertains to a boundary parsing flaw in the `astral-tokio-tar` library, a Rust-based asynchronous tar archive processing library. Specifically, the vulnerability exists in versions prior to 0.5.6 and involves improper handling of archive headers, especially when
@CveTodo
21 Oct 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-62518 astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that al… https://t.co/mYAi9BvWqa
@CVEnew
21 Oct 2025
206 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes