Tokio-tar remediation guidance (CVE-2025-62518)
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Edera told developers using tokio-tar to upgrade to a patched version or immediately remove the dependency because CVE-2025-62518 leaves projects exposed to archive-entry injection and remote code execution. The guidance targets systems still relying on the abandoned Rust library and its forks. Edera also recommends moving to the maintained astral-tokio-tar fork.
Related Happenings
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch Release
First: 11.05.2026 17:30
Last: 11.05.2026 17:30
Sources 1
About this happening:
**Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch ReleaseAbout this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
CPanel security patch release for CVE-2026-29201
Security Patch Release
First: 09.05.2026 10:16
Last: 09.05.2026 10:16
Sources 1
About this happening:
**cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-29201
Security Patch ReleaseAbout this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
Vm2 Node.js sandbox escape and RCE vulnerabilities (CVE-2026-24118)
Vulnerability
First: 07.05.2026 07:15
Last: 07.05.2026 07:15
Sources 1
About this happening:
**vm2** now has **multiple critical vulnerabilities** that can let attacker-controlled JavaScript **escape the sandbox** and reach the host, creating **arbitrary code execution**...
Vm2 Node.js sandbox escape and RCE vulnerabilities (CVE-2026-24118)
VulnerabilityAbout this happening: **vm2** now has **multiple critical vulnerabilities** that can let attacker-controlled JavaScript **escape the sandbox** and reach the host, creating **arbitrary code execution**...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch Release
First: 30.04.2026 16:54
Last: 30.04.2026 16:54
Sources 1
About this happening:
**Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch ReleaseAbout this happening: **Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Linux distributions mitigation advisories for CVE-2026-31431
Advisory/Mitigation
First: 30.04.2026 12:24
Last: 30.04.2026 12:24
Sources 1
About this happening:
Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...
Linux distributions mitigation advisories for CVE-2026-31431
Advisory/MitigationAbout this happening: Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...
Timeline
-
22.10.2025 20:21 2 articles · 7mo ago
Tokio-tar remediation guidance for CVE-2025-62518
Mitigation Patch UpdateEdera disclosed CVE-2025-62518, a high-severity logic flaw in abandoned async-tar Rust library forks that can allow unauthenticated archive-entry injection and remote code execution during nested TAR extraction. Developers are advised to upgrade to a patched version, remove the vulnerable tokio-tar dependency, or move to the maintained astral-tokio-tar fork.
Show sources
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21
- TARmageddon flaw in abandoned Rust library enables RCE attacks — www.bleepingcomputer.com — 22.10.2025 20:21