← Zuruck zu CVEs
CVE-2025-62518
HIGH8.1
Beschreibung
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
CVE Details
CVSS v3.1 Bewertung8.1
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionREQUIRED
Veroffentlicht10/21/2025
Zuletzt geandert10/21/2025
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-843
Referenzen
https://edera.dev/stories/tarmageddon(security-advisories@github.com)
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318(security-advisories@github.com)
https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx(security-advisories@github.com)
https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9(security-advisories@github.com)
https://github.com/edera-dev/cve-tarmageddon(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.