CVE

CVE-2025-62518

astral-tokio-tar Vulnerable to PAX Header Desynchronization

Back to all

CVE

CVE-2025-62518

astral-tokio-tar Vulnerable to PAX Header Desynchronization

Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing

vulnerability that allows attackers to smuggle additional archive entries by

exploiting inconsistent PAX/ustar header handling. When processing archives with

PAX-extended headers containing size overrides, the parser incorrectly advances

stream position based on ustar header size (often zero) instead of the

PAX-specified size, causing it to interpret file content as legitimate tar

headers.

This vulnerability was disclosed to multiple Rust tar parsers, all derived from

the original async-tar fork of tar-rs.

For additional information see

Edera's blog post.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.1

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

8.1

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://crates.io/crates/astral-tokio-tar, https://rustsec.org/advisories/RUSTSEC-2025-0110.html, https://github.com/advisories/GHSA-j5gw-2vrg-8fgx

Severity

8.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.1

EPSS Probability

0.00021%

EPSS Percentile

0.04799%

Introduced Version

0.0.0-0,0.5.0,0.4.0,0.1.0

Fix Available

0.5.6

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-62518

CVE-2025-62518

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

8.1

Basic Information

Fix Critical Vulnerabilities Instantly