Full Report
A high-severity vulnerability in the now-abandoned async-tar Rust library and its forks can be exploited to gain remote code execution on systems running unpatched software. [...]
Analysis Summary
# Vulnerability: TARmageddon Remote Code Execution in Abandoned Rust TAR Libraries
## CVE Details
- CVE ID: CVE-2025-62518
- CVSS Score: Not explicitly stated, but described as "high-severity."
- CWE: Logic Error / Desynchronization (Inferred from technical description)
## Affected Systems
- Products: `async-tar` Rust library, `tokio-tar` (a popular fork), and any downstream projects relying on these abandoned libraries.
- Versions: Unpatched versions of `async-tar` and `tokio-tar`.
- Configurations: Processing nested TAR files exhibiting a specific condition involving mismatched `ustar` and `PAX` extended headers during extraction.
## Vulnerability Description
This is a logic flaw (dubbed "TARmageddon") in the `async-tar` library and its forks, specifically when parsing nested TAR archives. A desynchronization issue arises when processing TAR files containing mismatched `ustar` and `PAX` extended headers. This allows an unauthenticated attacker to inject supplementary archive entries. The parser mistakes attacker-supplied file content for TAR headers, enabling the extraction of attacker-controlled files outside their intended location, which can lead to Remote Code Execution (RCE) by overwriting critical system or application files (e.g., configuration files, build backends).
## Exploitation
- Status: Vulnerability discovered, PoC likely exists based on vendor advisories, but "Exploited in the wild" status is not confirmed.
- Complexity: Implied to be low enough to enable supply chain attacks.
- Attack Vector: Network (via delivery of a malicious TAR file).
## Impact
- Confidentiality: Potential (If configuration files expose secrets or execution context).
- Integrity: High (Ability to overwrite files, hijack build processes leading to RCE).
- Availability: High (Potential for denial of service via system file corruption).
## Remediation
### Patches
- Active forks of the library have been patched (reference: Astral Security Advisory).
- Patching involves upgrading to patched forks or applying specific fixes made by Edera/Astral.
### Workarounds
- **Primary Recommendation:** Immediately remove the vulnerable `tokio-tar` dependency.
- **Alternative:** Switch dependency usage to the actively maintained fork: `astral-tokio-tar`.
- Developers are advised to review dependency trees for transitive usage linked to `async-tar` or `tokio-tar`.
## Detection
- Indicators of Compromise: Unexpected file modifications within application directories or build environments coinciding with TAR archive processing operations.
- Detection methods and tools: Static analysis (SAST) to review dependencies (`Cargo.toml` or equivalent build files) to identify direct or transitive use of `async-tar` or the highly impacted `tokio-tar`. Dynamic analysis focusing on unexpected file write operations during archive extraction.
## References
- Vendor Advisory (Edera): hxxps://edera.dev/stories/tarmageddon
- Downstream Project Changes: hxxps://github.com/edera-dev/cve-tarmageddon/tree/main/patches