A critical remote code execution (RCE) vulnerability has been discovered in the Rust async-tar ecosystem, affecting popular forks like tokio-tar and astral-tokio-tar. Organizations must urgently update or mitigate this flaw to prevent potential cyberattacks like file overwriting and supply-chain poisoning. #CVE‑2025‑62518 #TARmageddon
Keypoints
- The vulnerability CVE‑2025‑62518 affects the async-tar library ecosystem in Rust, including popular forks like tokio-tar.
- The flaw is a boundary-parsing bug that can lead to remote code execution through malicious archive files.
- It causes header misalignment during TAR extraction, enabling attackers to overwrite files or hijack build processes.
- The affected ecosystem has a large impact, with over 5 million downloads for tokio-tar and involvement in projects like uv and wasmCloud.
- Mitigation includes updating to version 0.5.6 or later and applying extraction security measures if immediate patching isn’t feasible.
Read More: https://thecyberexpress.com/cve%e2%80%912025%e2%80%9162518-rce-flaw-in-async-tar/