{"id":"RUSTSEC-2025-0110","summary":"astral-tokio-tar Vulnerable to PAX Header Desynchronization","details":"Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing\nvulnerability that allows attackers to smuggle additional archive entries by\nexploiting inconsistent PAX/ustar header handling. When processing archives with\nPAX-extended headers containing size overrides, the parser incorrectly advances\nstream position based on ustar header size (often zero) instead of the\nPAX-specified size, causing it to interpret file content as legitimate tar\nheaders.\n\nThis vulnerability was disclosed to multiple Rust tar parsers, all derived from\nthe original async-tar fork of tar-rs.\n\nFor additional information see\n[Edera's blog post](https://edera.dev/stories/tarmageddon).","aliases":["CVE-2025-62518","GHSA-j5gw-2vrg-8fgx","RUSTSEC-2025-0111"],"modified":"2026-01-17T07:56:06.879751Z","published":"2025-10-21T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/astral-tokio-tar"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0110.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-j5gw-2vrg-8fgx"}],"affected":[{"package":{"name":"astral-tokio-tar","ecosystem":"crates.io","purl":"pkg:cargo/astral-tokio-tar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.5.6"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0110.json","informational":null,"categories":["format-injection"],"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}