TARmageddon Vulnerability in Async-Tar and Tokio-Tar Libraries
Summary
Hide ▲
Show ▼
A high-severity vulnerability dubbed TARmageddon (CVE-2025-62518) affects the async-tar Rust library and its forks, including tokio-tar. This flaw can enable remote code execution through file overwriting attacks. The issue stems from inconsistent handling of PAX and ustar headers, allowing attackers to smuggle additional archive entries. The vulnerability impacts several widely-used projects, such as testcontainers, wasmCloud, Binstalk, Astral's uv Python package manager, and liboxen. Users of tokio-tar are advised to migrate to astral-tokio-tar version 0.5.6 or later to remediate the flaw. The flaw was discovered in late August 2025 by Edera and disclosed publicly on October 22, 2025. The widespread use of tokio-tar makes it difficult to quantify the full impact of this vulnerability, and some affected projects have yet to respond to the disclosure.
Timeline
-
22.10.2025 10:05 2 articles · 1d ago
TARmageddon Vulnerability in Async-Tar and Tokio-Tar Libraries Disclosed
A high-severity vulnerability, dubbed TARmageddon, was discovered in the async-tar Rust library and its forks, including tokio-tar. The flaw can enable remote code execution through file overwriting attacks. The issue stems from a desynchronization issue in processing nested TAR files with mismatched ustar and PAX headers, allowing attackers to smuggle additional archive entries. The vulnerability impacts several widely-used projects, including Binstalk, Astral's uv Python package manager, the wasmCloud universal application platform, liboxen, and the open-source testcontainers library. Users of tokio-tar are advised to migrate to astral-tokio-tar version 0.5.6 or later to remediate the flaw. The flaw was discovered in late August 2025 and disclosed publicly on October 22, 2025. The widespread use of tokio-tar makes it difficult to quantify the full impact of this vulnerability, and some affected projects have yet to respond to the disclosure.
Show sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
Information Snippets
-
The vulnerability is tracked as CVE-2025-62518 with a CVSS score of 8.1.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The flaw affects the async-tar Rust library and its forks, including tokio-tar.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The issue can lead to remote code execution through file overwriting attacks.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The vulnerability impacts several widely-used projects, such as testcontainers and wasmCloud.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
Tokio-tar is essentially abandonware, with the last update on July 15, 2023.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
Astral-tokio-tar version 0.5.6 addresses the vulnerability.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The flaw results from inconsistent handling of PAX and ustar headers.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The inconsistency allows attackers to smuggle additional archive entries.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The vulnerability was discovered in late August 2025 and disclosed on October 22, 2025.
First reported: 22.10.2025 10:052 sources, 2 articlesShow sources
- TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution — thehackernews.com — 22.10.2025 10:05
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The flaw results from a desynchronization issue in processing nested TAR files with mismatched ustar and PAX headers.
First reported: 22.10.2025 20:211 source, 1 articleShow sources
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The vulnerability can be exploited to overwrite files in supply chain attacks by replacing configuration files and hijacking build backends.
First reported: 22.10.2025 20:211 source, 1 articleShow sources
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
The TARmageddon vulnerability affects Binstalk, Astral's uv Python package manager, the wasmCloud universal application platform, liboxen, and the open-source testcontainers library.
First reported: 22.10.2025 20:211 source, 1 articleShow sources
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
Edera advises developers to upgrade to a patched version, remove the vulnerable tokio-tar dependency, or switch to the actively maintained astral-tokio-tar fork.
First reported: 22.10.2025 20:211 source, 1 articleShow sources
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
-
Edera's async-tar fork (krata-tokio-tar) will be archived to reduce confusion in the ecosystem.
First reported: 22.10.2025 20:211 source, 1 articleShow sources
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
Similar Happenings
Command injection flaw in Libraesva ESG exploited by state actors
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
Critical Deserialization RCE Vulnerability in SolarWinds Web Help Desk
SolarWinds has released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files.