CVE-2025-59825

CVSS v4.0

6.1

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Name of the Vulnerable Software and Affected Versions astral-tokio-tar versions 0.5.3 and earlier

Description astral-tokio-tar is a tar archive reading/writing library for async Rust. Tar archives may extract files outside of their intended destination directory when using the Entry::unpack in raw API. The Entry::allow external symlinks control could be bypassed using symlinks that, when combined, point outside the destination directory. These behaviors could allow an attacker with a malicious tar archive to perform arbitrary file writes and potentially achieve code execution.

Recommendations Upgrade to version 0.5.4 or later.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-61

Related Identifiers

CVE-2025-59825

GHSA-3WGQ-WRWC-VQMV

Affected Products

Debian

Astral-Tokio-Tar

CVE-2025-59825

Weakness Enumeration

Related Identifiers

Affected Products

References · 20