Boundary Parsing Vulnerability in Astral-Tokio-Tar Library by Astral
CVE-2025-62518

8.1HIGH

Key Information:

Vendor

Astral-sh

Status
Tokio-tar
Vendor
CVE Published:
21 October 2025

Badges

📈 Score: 505📰 News Worthy

What is CVE-2025-62518?

CVE-2025-62518 is a boundary parsing vulnerability found in the astral-tokio-tar library, which is a Rust library designed for reading and writing tar archives asynchronously. This library is utilized in various applications and services that depend on efficient handling of tar file formats. The vulnerability arises due to improper handling of PAX/ustar headers in versions prior to 0.5.6. Specifically, when parsing tar archives with PAX-extended headers, the library incorrectly processes the stream position based on potentially misleading header sizes, leading to a situation where malicious actors can exploit this inconsistency. As a result, attackers may be able to smuggle additional archive entries into the processing stream, thereby manipulating the integrity and security of the archive content. Organizations using affected versions of the library face the risk of compromised data and system integrity, especially in environments that handle sensitive data or rely heavily on tar file operations.

Potential impact of CVE-2025-62518

  1. Data Integrity Compromise: The vulnerability can lead to unauthorized alterations in tar archives, risking the integrity of the data stored within those archives. This can result in the incorporation of malicious files or incorrect data in what should be a trusted archive, potentially impacting downstream processes relying on that data.

  2. Increased Attack Surface: By allowing attackers to smuggle additional archive entries, the vulnerability expands the attack vector for exploitation. This not only puts the specific application using the library at risk but also may allow attackers to leverage trusted systems to distribute malware or other malicious assets.

  3. Operational Disruption: Exploitation of this vulnerability can lead to operational challenges, including denial of service, if the library is compromised or manipulated to hinder normal processing of archives. Such disruptions can significantly affect the performance of applications that rely on this library, impacting business continuity and user trust.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

tokio-tar < 0.5.6

News Articles

favicon imageThe Hacker News

TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution

High-severity TARmageddon flaw (CVE-2025-62518) in Rust’s async-tar libraries enables RCE via header parsing bug.

References

https://github.com/astral-sh/tokio-tar/security/advisorie...
x_refsource_CONFIRM
https://github.com/astral-sh/uv/security/advisories/GHSA-...
x_refsource_MISC
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

JSON
.