CVE-2025-59825 — Path Traversal in Tokio-tar

CWE-22 — Path Traversal CWE-61 — UNIX Symbolic Link (Symlink) Following8 documents7 sources

Severity

6.1MEDIUMNVD

GHSA7.5OSV7.5

EPSS

0.0%

top 93.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Astral-sh Tokio-tar

Timeline

PublishedSep 23

Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5astral-sh/tokio-tar< 0.5.4

🔴Vulnerability Details

CVEList

astral-tokio-tar has a path traversal in tar extraction↗2025-09-23

▶

OSV

astral-tokio-tar has a path traversal in tar extraction↗2025-09-23

▶

OSV

CVE-2025-59825: astral-tokio-tar is a tar archive reading/writing library for async Rust↗2025-09-23

▶

GHSA

astral-tokio-tar has a path traversal in tar extraction↗2025-09-23

▶

📋Vendor Advisories

Red Hat

astral-tokio-tar: astral-tokio-tar path traversal↗2025-09-23

▶

Microsoft

astral-tokio-tar has a path traversal in tar extraction↗2025-09-09

▶

Debian

CVE-2025-59825: rust-astral-tokio-tar - astral-tokio-tar is a tar archive reading/writing library for async Rust. In ver...↗2025

▶