A high-severity vulnerability in the popular Rust library Async-tar could allow attackers to smuggle archive entries and execute arbitrary code remotely.
Tracked as CVE-2025-62518 (CVSS score of 8.1) and dubbed TARmageddon, the security defect is described as a desynchronization issue that occurs during the processing of nested TAR files with a specific mismatch between PAX and ustar headers.
If a file entry has both headers and the ustar header incorrectly specifies a zero size, an inconsistency in the parser’s data boundaries determination logic results in the parser advancing the stream position based on the ustar size, even if the PAX header correctly specifies the file size.
“By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive. It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive,” explains Edera, the company that reported the flaw in August.
The bug could lead to remote code execution, as its successful exploitation results in file overwrites, allowing attackers to replace configuration files. It could also be exploited in supply chain attacks, to hijacking build backends, the security firm says.
According to Edera, the impact from this vulnerability across the ecosystem cannot be quantified, as the vulnerable library, Async-tar, and its most popular fork, Tokio-tar, have been abandoned.
This essentially prevented the deployment of a patch to the upstream repository, which would be inherited by downstream users. Instead, Edera took a decentralized disclosure approach to ensure the rollout of patches.
Tokio-tar, Edera explains, has over 5 million downloads on crates.io, but is used in numerous downstream projects, including the now-archived Krata-tokio-tar (which was originally maintained by Edera), Astral-tokio-tar (maintained by Astral), Testcontainers, Binstalk-downloader, Liboxen, and Opa-wasm.
Binstalk’s maintainers decided to remove the dependency or switch to Astral-tokio-tar, which has been updated (version 0.5.6) to fix the bug. Opa-wasm is not affected, as it does not rely on the vulnerable Tokio-tar functionality.
“Other projects were made aware of the upcoming patch and have not responded to our attempts at outreach. Furthermore, there are likely several downstream projects relying on impacted versions that we are not aware of,” Edera notes.
With fixes rolled out for Astral-tokio-tar and Krata-tokio-tar, downstream users are advised to switch to these patched libraries, or to modify TAR parsers to prioritize PAX headers for size determination, validate header consistency, and to add strict boundary checking to prevent header confusion.
“The discovery of TARmageddon is an important reminder that Rust is not a silver bullet. This lineage of vulnerable libraries (async-tar > tokio-tar > forks) tells a common open-source story: popular code, even in modern secure languages, can become unmaintained and expose its millions of downstream users to risk,” Edera notes.
Related: CISA Warns of Exploited Apple, Kentico, Microsoft Vulnerabilities
Related: Vulnerability in Dolby Decoder Can Allow Zero-Click Attacks
Related: Vulnerabilities in MongoDB Library Allow RCE on Node.js Servers
Related: Solana Web3.js Library Backdoored in Supply Chain Attack
