Full Report
Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks, including tokio-tar, that could result in remote code execution under certain conditions. The vulnerability, tracked as CVE-2025-62518 (CVSS score: 8.1), has been codenamed TARmageddon by Edera, which discovered the issue in late August 2025. It impacts several
Analysis Summary
# Vulnerability: TARmageddon Flaw in Async-Tar Rust Library Leading to RCE
## CVE Details
- CVE ID: CVE-2025-62518
- CVSS Score: 8.1 (High)
- CWE: Not explicitly stated, but related to inconsistent parsing/logic error.
## Affected Systems
- Products: `async-tar` Rust library and its forks, including `tokio-tar`. Affects projects relying on these libraries, such as `testcontainers` and `wasmCloud`.
- Versions: Versions of `astral-tokio-tar` prior to **0.5.6**. (The vulnerability exists in `tokio-tar`, which is noted as being largely abandoned since July 15, 2023).
- Configurations: Affects archival decompression/parsing operations involving TAR files containing extended PAX headers.
## Vulnerability Description
The flaw, dubbed TARmageddon, is a logic bug concerning the inconsistent handling of file size boundaries between PAX extended headers and USTAR headers when parsing TAR archives. When an archive contains PAX-extended headers that correctly specify a file size, the vulnerable parser incorrectly advances the stream position based on the USTAR header size (often zero) instead of the PAX-specified size. This causes the parser to fail to skip the actual file data (which may contain a nested TAR archive). Consequently, the library interprets the content of the nested archive's headers as legitimate entries belonging to the outer archive, allowing an attacker to "smuggle" extra archives. This can lead to file overwriting attacks, such as replacing critical files (e.g., configuration files or build backends), culminating in Remote Code Execution (RCE).
## Exploitation
- Status: Details reported by researchers (Edera); specific exploitation in the wild status is not mentioned, but the potential exists.
- Complexity: Medium (requires crafting a malicious, nested TAR archive).
- Attack Vector: Network (via untrusted archive upload/processing).
## Impact
- Confidentiality: Potential escalation path via configuration file overwrite.
- Integrity: High impact due to file overwriting capabilities, leading to system modification.
- Availability: Potential denial of service or system integrity loss.
## Remediation
### Patches
- For the `tokio-tar` fork actively maintained by Astral: **`astral-tokio-tar` version 0.5.6** and later contains the remediation.
### Workarounds
- Users heavily relying on the deprecated `tokio-tar` should migrate to **`astral-tokio-tar`** to benefit from the patch.
## Detection
- Indicators of compromise: Unexpected file creation or modification within extracted directories following TAR processing, especially during builds or installations leveraging these libraries.
- Detection methods and tools: Monitoring file system write operations originating from processes utilizing the affected libraries when unpacking untrusted/external archives. Custom static analysis or dependency scanning tools should flag dependencies on older versions of these crates.
## References
- Vendor advisories: [GitHub Security Advisory GHSA-j5gw-2vrg-8fgx](https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx)
- Relevant links:
- General vulnerability report: hXXps://edera.dev/stories/tarmageddon
- Cve details: hXXps://www.cve.org/CVERecord?id=CVE-2025-62518
- Fixed version release: hXXps://github.com/astral-sh/tokio-tar/releases/tag/v0.5.6