Alexcrichton Tar-Rs vulnerabilities

CVE-2026-33055 [MEDIUM] CVE-2026-33055: tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almo

CVE-2026-33056 [MEDIUM] CWE-61 CVE-2026-33056: tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacki tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory en

CVE-2025-62518 [HIGH] CWE-843 CVE-2025-62518: astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-t astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, th