CVE-2026-33055

Name of the Vulnerable Software and Affected Versions tar-rs versions 0.4.44 and below

Description tar-rs, a Rust library for reading and writing tar archives, contains a flaw in its handling of PAX size headers. Specifically, versions 0.4.44 and below have conditional logic that skips the PAX size header when the base header size is non-zero. This discrepancy in how tar parsers handle file sizes can be exploited to create archives that appear different when unpacked by different archivers. The tar-rs crate is an exception in checking the header size, while other tar parsers, such as Go's archive/tar, unconditionally use the PAX size override. This issue can affect any application using the tar-rs crate to parse archives and expecting consistency with other parsers. A proof-of-concept (PoC) demonstrates the potential to smuggle symlinks into the registry, bypassing security checks in certain scenarios.

Recommendations Update to version 0.4.45 or later.