Reported

October 21, 2025

Issued

October 25, 2025

Package

astral-tokio-tar (crates.io)

Type

Vulnerability

Categories

• format-injection

Keywords

#parser-differential #smuggling

Aliases

• CVE-2025-62518
• GHSA-j5gw-2vrg-8fgx

References

• https://github.com/advisories/GHSA-j5gw-2vrg-8fgx

CVSS Score

8.1 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Patched

• >=0.5.6

Description

Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.

This vulnerability was disclosed to multiple Rust tar parsers, all derived from the original async-tar fork of tar-rs.

For additional information see Edera's blog post.

Advisory available under CC0-1.0 license.