CVE-2025-62518

Name of the Vulnerable Software and Affected Versions astral-tokio-tar versions prior to 0.5.6 async-tar versions prior to 0.5.6 tokio-tar versions prior to 0.5.6

Description astral-tokio-tar, async-tar, and tokio-tar are vulnerable to a boundary parsing issue due to inconsistent handling of PAX/ustar headers. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances the stream position based on the ustar header size (often zero) instead of the PAX-specified size, leading to misinterpretation of file content as legitimate tar headers. This can allow attackers to smuggle additional archive entries. The vulnerability is exploitable when processing untrusted tar archives and may result in arbitrary code execution or credential exfiltration. The issue stems from the parser using the ustar size instead of the PAX override when calculating the file position. This vulnerability is also known as TARmageddon (CVE-2025-62518).

Recommendations Upgrade astral-tokio-tar to version 0.5.6 or newer. Upgrade async-tar to version 0.5.6 or newer. Upgrade tokio-tar to version 0.5.6 or newer.