Cybersecurity researchers have disclosed particulars of a high-severity flaw impacting the favored async-tar Rust library and its forks, together with tokio-tar, that might lead to distant code execution below sure situations.
The vulnerability, tracked as CVE-2025-62518 (CVSS rating: 8.1), has been codenamed TARmageddon by Edera, which found the difficulty in late August 2025. It impacts a number of widely-used tasks, similar to testcontainers and wasmCloud.
“Within the worst-case situation, this vulnerability has a severity of 8.1 (Excessive) and may result in Distant Code Execution (RCE) via file overwriting assaults, similar to changing configuration information or hijacking construct backends,” the Seattle-based security firm stated.
The issue is compounded by the truth that tokio-tar is actually abandonware regardless of attracting hundreds of downloads by way of crates.io. Tokio-tar is a Rust library for asynchronously studying and writing TAR archives constructed atop the Tokio runtime for the programming language. The Rust crate was final up to date on July 15, 2023.
Within the absence of a patch for tokio-tar, customers counting on the library are suggested emigrate to astral-tokio-tar, which has launched model 0.5.6 to remediate the flaw.
“Variations of astral-tokio-tar previous to 0.5.6 include a boundary parsing vulnerability that enables attackers to smuggle further archive entries by exploiting inconsistent PAX/ustar header dealing with,” Astral developer William Woodruff stated in an alert.
“When processing archives with PAX-extended headers containing measurement overrides, the parser incorrectly advances stream place primarily based on ustar header measurement (typically zero) as an alternative of the PAX-specified measurement, inflicting it to interpret file content material as respectable TAR headers.”
The difficulty, in a nutshell, is the results of inconsistent dealing with when dealing with PAX prolonged headers and ustar headers when figuring out file information boundaries. PAX, brief for moveable archive interchange, is an prolonged model of the USTAR format used to retailer properties of member information in a TAR archive.
The mismatch between a PAX prolonged headers and ustar headers – the place the PAX header accurately specifies the file measurement, whereas the ustar header incorrectly specifies the file measurement as zero (as an alternative of the PAX measurement) – results in a parsing inconsistency, inflicting the library to interpret the inside content material as further outer archive entries.
“By advancing 0 bytes, the parser fails to skip over the precise file information (which is a nested TAR archive) and instantly encounters the subsequent legitimate TAR header positioned in the beginning of the nested archive,” Edera defined. “It then incorrectly interprets the inside archive’s headers as respectable entries belonging to the outer archive.”
Consequently, an attacker may exploit this conduct to “smuggle” additional archives when the library is processing nested TAR information, thereby making it attainable to overwrite information inside extraction directories, finally paving the way in which for arbitrary code execution.
In a hypothetical assault situation, an attacker may add a specially-crafted package deal to PyPI such that the outer TAR incorporates a respectable pyproject.toml, whereas the hidden inside TAR incorporates a malicious one which hijacks the construct backend and overwrites the precise file throughout set up.
“Whereas Rust’s ensures make it considerably tougher to introduce reminiscence security bugs (like buffer overflows or use-after-free), it doesn’t get rid of logic bugs – and this parsing inconsistency is basically a logic flaw,” Edera stated. “Builders should stay vigilant towards all lessons of vulnerabilities, whatever the language used.”
