Cybersecurity researchers have disclosed particulars of a high-severity flaw impacting the favored async-tar Rust library and its forks, together with tokio-tar, that would end in distant code execution beneath sure situations.
The vulnerability, tracked as CVE-2025-62518 (CVSS rating: 8.1), has been codenamed TARmageddon by Edera, which found the difficulty in late August 2025. It impacts a number of widely-used initiatives, corresponding to testcontainers and wasmCloud.
“Within the worst-case state of affairs, this vulnerability has a severity of 8.1 (Excessive) and may result in Distant Code Execution (RCE) by file overwriting assaults, corresponding to changing configuration information or hijacking construct backends,” the Seattle-based safety firm said.
The issue is compounded by the truth that tokio-tar is basically abandonware regardless of attracting 1000’s of downloads through crates.io. Tokio-tar is a Rust library for asynchronously studying and writing TAR archives constructed atop the Tokio runtime for the programming language. The Rust crate was last updated on July 15, 2023.
Within the absence of a patch for tokio-tar, customers counting on the library are suggested emigrate to astral-tokio-tar, which has launched version 0.5.6 to remediate the flaw.
“Variations of astral-tokio-tar previous to 0.5.6 comprise a boundary parsing vulnerability that enables attackers to smuggle extra archive entries by exploiting inconsistent PAX/ustar header dealing with,” Astral developer William Woodruff said in an alert.
“When processing archives with PAX-extended headers containing dimension overrides, the parser incorrectly advances stream place primarily based on ustar header dimension (typically zero) as an alternative of the PAX-specified dimension, inflicting it to interpret file content material as reputable TAR headers.”
The difficulty, in a nutshell, is the results of inconsistent dealing with when dealing with PAX prolonged headers and ustar headers when figuring out file knowledge boundaries. PAX, brief for transportable archive interchange, is an prolonged model of the USTAR format used to store properties of member information in a TAR archive.
The mismatch between a PAX prolonged headers and ustar headers – the place the PAX header appropriately specifies the file dimension, whereas the ustar header incorrectly specifies the file dimension as zero (as an alternative of the PAX dimension) – results in a parsing inconsistency, inflicting the library to interpret the internal content material as extra outer archive entries.
“By advancing 0 bytes, the parser fails to skip over the precise file knowledge (which is a nested TAR archive) and instantly encounters the following legitimate TAR header positioned at first of the nested archive,” Edera defined. “It then incorrectly interprets the internal archive’s headers as reputable entries belonging to the outer archive.”
Consequently, an attacker might exploit this habits to “smuggle” additional archives when the library is processing nested TAR information, thereby making it doable to overwrite information inside extraction directories, in the end paving the way in which for arbitrary code execution.
In a hypothetical assault state of affairs, an attacker might add a specially-crafted bundle to PyPI such that the outer TAR accommodates a reputable pyproject.toml, whereas the hidden internal TAR accommodates a malicious one which hijacks the construct backend and overwrites the precise file throughout set up.
“Whereas Rust’s ensures make it considerably tougher to introduce reminiscence security bugs (like buffer overflows or use-after-free), it doesn’t eradicate logic bugs – and this parsing inconsistency is basically a logic flaw,” Edera mentioned. “Builders should stay vigilant in opposition to all courses of vulnerabilities, whatever the language used.”
