Reported

October 21, 2025

Issued

October 25, 2025

Package

astral-tokio-tar (crates.io)

Type

Vulnerability

Categories

• format-injection

Keywords

#parser-differential #smuggling

Aliases

• CVE-2025-62518
• GHSA-j5gw-2vrg-8fgx

References

• https://github.com/advisories/GHSA-j5gw-2vrg-8fgx

CVSS Score

8.1 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Patched

• >=0.5.6

Description

Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.

This vulnerability was disclosed to multiple Rust tar parsers, all derived from the original async-tar fork of tar-rs.

For additional information see Edera's blog post.

Advisory available under CC0-1.0 license.