Tar Archive Vulnerability in Astral-Tokio-Tar Library
CVE-2025-59825

6.1MEDIUM

Key Information:

Vendor

Astral-sh

Status
Tokio-tar
Vendor
CVE Published:
23 September 2025

What is CVE-2025-59825?

The astral-tokio-tar library for async Rust exhibits a vulnerability in versions 0.5.3 and earlier that may allow tar archives to be extracted outside their intended destination directories. This occurs through the Entry::unpack_in_raw API, which fails to enforce the security controls that limit file extraction to specific directories. Additionally, the Entry::allow_external_symlinks setting, which is enabled by default, can be bypassed. This manipulation could allow an attacker to create a malicious tar archive that performs arbitrary file writes, potentially leading to unauthorized code execution within the system. Users are strongly advised to upgrade to version 0.5.4 to mitigate this issue.

Affected Version(s)

tokio-tar < 0.5.4

References

https://github.com/astral-sh/tokio-tar/security/advisorie...
x_refsource_CONFIRM
https://github.com/astral-sh/uv/issues/12163
x_refsource_MISC
https://github.com/astral-sh/tokio-tar/commit/036fdecc85c...
x_refsource_MISC

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59825 : Tar Archive Vulnerability in Astral-Tokio-Tar Library