Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.

INFO

Published Date :

2025-10-21T16:13:02.646Z

Last Modified :

2025-10-22T13:23:33.408Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62518 vulnerability.

Vendors Products
Astral
  • Tokio-tar
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62518.

URL Resource
https://edera.dev/stories/tarmageddon cve-icon cve-icon cve-icon
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318 cve-icon cve-icon cve-icon
https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx cve-icon cve-icon cve-icon
https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9 cve-icon cve-icon cve-icon
https://github.com/edera-dev/cve-tarmageddon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-62518 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-62518 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact