Astral-Sh Tokio-Tar vulnerabilities

CVE-2026-32766 [LOW] CWE-436 CVE-2026-32766: astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earl astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malforme

CVE-2025-62518 [HIGH] CWE-843 astral-tokio-tar Vulnerable to PAX Header Desynchronization astral-tokio-tar Vulnerable to PAX Header Desynchronization astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides

CVE-2025-59825 [MEDIUM] CWE-22 CVE-2025-59825: astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earl astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of