CVE-2025-62518: astral-tokio-tar Vulnerable to PAX Header Desynchronization
(updated )
Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.
This vulnerability was disclosed to multiple Rust tar parsers, all derived from the original async-tar fork of tar-rs.
References
- edera.dev/stories/tarmageddon
- github.com/advisories/GHSA-j5gw-2vrg-8fgx
- github.com/astral-sh/tokio-tar
- github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318
- github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx
- github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9
- github.com/edera-dev/cve-tarmageddon
- nvd.nist.gov/vuln/detail/CVE-2025-62518
- rustsec.org/advisories/RUSTSEC-2025-0110.html
Code Behaviors & Features
Detect and mitigate CVE-2025-62518 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →