{"id":"CVE-2025-62518","summary":"astral-tokio-tar Vulnerable to PAX Header Desynchronization","details":"astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.","aliases":["GHSA-j5gw-2vrg-8fgx","RUSTSEC-2025-0110","RUSTSEC-2025-0111"],"modified":"2026-04-21T04:12:21.527380Z","published":"2025-10-21T16:13:02.646Z","related":["CGA-c43c-444v-mwfp","GHSA-j5gw-2vrg-8fgx","GHSA-w476-p2h3-79g9","RUSTSEC-2025-0111","SUSE-SU-2026:20077-1","openSUSE-SU-2025:15658-1","openSUSE-SU-2026:20026-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62518.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-843"]},"references":[{"type":"WEB","url":"https://edera.dev/stories/tarmageddon"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62518.json"},{"type":"ADVISORY","url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx"},{"type":"ADVISORY","url":"https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62518"},{"type":"FIX","url":"https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318"},{"type":"PACKAGE","url":"https://github.com/edera-dev/cve-tarmageddon"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/astral-sh/tokio-tar","events":[{"introduced":"0"},{"fixed":"22b3f884adb7a2adf1d3a8d03469533f5cbc8318"}]}],"versions":["9b5e692","b1e6022","ba2b140","c06006a","efeaea9","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v5.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62518.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}