CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TARmageddon Vulnerability in Async-Tar and Tokio-Tar Libraries

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A high-severity vulnerability dubbed TARmageddon (CVE-2025-62518) affects the async-tar Rust library and its forks, including tokio-tar. This flaw can enable remote code execution through file overwriting attacks. The issue stems from inconsistent handling of PAX and ustar headers, allowing attackers to smuggle additional archive entries. The vulnerability impacts several widely-used projects, such as testcontainers, wasmCloud, Binstalk, Astral's uv Python package manager, and liboxen. Users of tokio-tar are advised to migrate to astral-tokio-tar version 0.5.6 or later to remediate the flaw. The flaw was discovered in late August 2025 by Edera and disclosed publicly on October 22, 2025. The widespread use of tokio-tar makes it difficult to quantify the full impact of this vulnerability, and some affected projects have yet to respond to the disclosure.

Timeline

  1. 22.10.2025 10:05 2 articles · 1d ago

    TARmageddon Vulnerability in Async-Tar and Tokio-Tar Libraries Disclosed

    A high-severity vulnerability, dubbed TARmageddon, was discovered in the async-tar Rust library and its forks, including tokio-tar. The flaw can enable remote code execution through file overwriting attacks. The issue stems from a desynchronization issue in processing nested TAR files with mismatched ustar and PAX headers, allowing attackers to smuggle additional archive entries. The vulnerability impacts several widely-used projects, including Binstalk, Astral's uv Python package manager, the wasmCloud universal application platform, liboxen, and the open-source testcontainers library. Users of tokio-tar are advised to migrate to astral-tokio-tar version 0.5.6 or later to remediate the flaw. The flaw was discovered in late August 2025 and disclosed publicly on October 22, 2025. The widespread use of tokio-tar makes it difficult to quantify the full impact of this vulnerability, and some affected projects have yet to respond to the disclosure.

    Show sources

Information Snippets

Similar Happenings

Command injection flaw in Libraesva ESG exploited by state actors

Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.

Critical Deserialization RCE Vulnerability in SolarWinds Web Help Desk

SolarWinds has released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files.