CVE-2025-62518

high

Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.

References

References
More

https://www.securityweek.com/tarmageddon-flaw-in-popular-rust-library-leads-to-rce/

https://www.bleepingcomputer.com/news/security/tarmageddon-flaw-in-abandoned-rust-library-enables-rce-attacks/

https://thehackernews.com/2025/10/tarmageddon-flaw-in-async-tar-rust.html

https://securityaffairs.com/183682/hacking/tarmageddon-flaw-in-async-tar-rust-library.html

https://cyberscoop.com/async-tar-rust-open-source-vulnerability/

https://github.com/edera-dev/cve-tarmageddon

https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9

https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx

https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318

https://edera.dev/stories/tarmageddon

Details

Source: Mitre, NVD

Published: 2025-10-21

Updated: 2025-10-21

Named Vulnerability: Tarmageddon

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.00021