RUSTSEC-2026-0113

unpack_in can chmod arbitrary directories by following symlinks

Reported

April 27, 2026

Issued

April 28, 2026

Package

astral-tokio-tar (crates.io)

Type

Vulnerability

Categories

file-disclosure

Keywords

#tar #chmod

Aliases

GHSA-xx64-wwv2-hcqq

References

https://github.com/advisories/GHSA-xx64-wwv2-hcqq

Patched

>=0.6.1

Description

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

Advisory available under CC0-1.0 license.