RUSTSEC-2026-0145

PAX Header Desynchronization in astral-tokio-tar

Reported

May 18, 2026

Issued

May 19, 2026

Package

astral-tokio-tar (crates.io)

Type

Vulnerability

Categories

file-disclosure

Keywords

#tar #chmod

Aliases

GHSA-3cv2-h65g-fgmm

References

https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3cv2-h65g-fgmm

Patched

>=0.6.2

Description

Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

Advisory available under CC0-1.0 license.