RUSTSEC-2025-0111

tokio-tar parses PAX extended headers incorrectly, allows file smuggling

Reported

October 21, 2025

Issued

October 25, 2025

Package

tokio-tar (crates.io)

Type

Vulnerability

Categories

format-injection

Keywords

#unsound #parsing #smuggling #file-smuggling #unmaintained

References

https://edera.dev/stories/tarmageddon

Related

Patched

no patched versions

Affected Functions

Version

tokio_tar::Archive::new

<=0.3.1

tokio_tar::ArchiveBuilder::new

<=0.3.1

Description

The archive reader incorrectly handles PAX extended headers, when the ustar header incorrectly specifies zero size (size=000000000000), while a PAX header specifies a non-zero size, tokio-tar::Archive is going to read the file content as tar entry header.

This can be used by a tar file to present different content to tokio-tar compared to other tar reader implementations.

This bug is also known as CVE-2025-62518 and GHSA-j5gw-2vrg-8fgx, as those crates share a common ancestor codebase.

The tokio-tar crate is archived and no longer maintained, we recommend you switch to an alternative crate such as:

astral-tokio-tar

Advisory available under CC0-1.0 license.