A critical vulnerability in the Rust library Async-tar, known as TARmageddon, can enable remote code execution through archive entry smuggling. This flaw affects projects using Tokio-tar, with significant security implications for their supply chains and build environments. #Async-tar #Tokio-tar #TARmageddon
Keypoints
- The vulnerability CVE-2025-62518 involves a desynchronization issue during nested TAR file processing.
- The flaw is triggered when header mismatches cause the parser to misinterpret nested archive boundaries.
- Exploitation allows attackers to overwrite files and execute arbitrary code remotely.
- Patches are available for affected libraries like Astral-tokio-tar and Krata-tokio-tar, but many projects remain unpatched.
- Developers are advised to validate headers and implement strict boundary checks to mitigate the risk.
Read More: https://www.securityweek.com/tarmageddon-flaw-in-popular-rust-library-leads-to-rce/