CVE-2025-62518 TARmageddon flaw in Rust async-tar and forks like tokio-tar may allow remote code execution, says Edera.
Edera team disclosed a vulnerability tracked as CVE-2025-62518 (CVSS score: 8.1), dubbed TARmageddon, in the Rust async-tar library and forks like tokio-tar. A remote attacker can exploit the flaw to achieve code execution.
“astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling.” reads the advisory. “When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.”
The vulnerability is a desynchronization bug in async-tar/tokio-tar that lets an attacker “smuggle” files from a nested TAR into the outer extraction by exploiting a mismatch between PAX and ustar headers (PAX shows the real size, ustar shows 0).
“By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive. It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive.” continues the report.
The parser advances by the ustar size (0), so it fails to skip the nested archive and treats inner headers as valid outer entries.
Exploitation can also allow file-overwrite during extraction, supply-chain poisoning, and bypassing security scanners or bill-of-materials checks. In practical attack scenarios a malicious Python package that replaces build backends can cause RCE during installation or poisoned container image layers can inject files into test environments. In another attack scenario, canners can approve an outer TAR while the vulnerable extractor pulls hidden, unscanned files from an inner TAR.
In short, mismatched header handling causes stream misalignment, enabling hidden payloads in nested TARs and serious supply-chain and deployment risks.
“The discovery of TARmageddon is an important reminder that Rust is not a silver bullet. While Rust’s guarantees make it significantly harder to introduce memory safety bugs (like buffer overflows or use-after-free), it does not eliminate logic bugs—and this parsing inconsistency is fundamentally a logic flaw. Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TARmageddon)
