CVE-2025-62518Type Confusion in Tokio-tar

CWE-843Type Confusion16 documents9 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 95.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Alexcrichton Tar-rsAstral-sh Tokio-tarAstral-sh UV
Timeline
PublishedOct 21
Latest updateMar 20

Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret fi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

CVEListV5astral-sh/tokio-tar< 0.5.6
crates.ioastral-sh/tokio-tar0.3.1+1
PyPIastral-sh/uv< 0.9.5
CVEListV5alexcrichton/tar-rs< 0.4.45

🔴Vulnerability Details

10
GHSA
tar-rs incorrectly ignores PAX size headers if header size is nonzero2026-03-20
OSV
tar-rs incorrectly ignores PAX size headers if header size is nonzero2026-03-19
OSV
uv has differential in tar extraction with PAX headers2025-10-21
OSV
CVE-2025-62518: astral-tokio-tar is a tar archive reading/writing library for async Rust2025-10-21
OSV
astral-tokio-tar Vulnerable to PAX Header Desynchronization2025-10-21

📋Vendor Advisories

3
Red Hat
astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization2025-10-21
Microsoft
astral-tokio-tar Vulnerable to PAX Header Desynchronization2025-10-14
Debian
CVE-2025-62518: rust-astral-tokio-tar - astral-tokio-tar is a tar archive reading/writing library for async Rust. Versio...2025

🕵️Threat Intelligence

2
Bleepingcomputer
TARmageddon flaw in abandoned Rust library enables RCE attacks2025-10-22
Wiz
CVE-2026-33055 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-62518 — Type Confusion in Astral-sh Tokio-tar | cvebase