Cybersecurity researchers have revealed a critical vulnerability in the async-tar Rust library that could allow remote code execution through file overwriting attacks. Users of impacted projects like testcontainers and wasmCloud are advised to migrate to an updated version of astral-tokio-tar to mitigate the risk. #CVEm-2025-62518 #tokio-tar #astral-tokio-tar #Rust #remote-code-execution
Keypoints
- The vulnerability CVE-2025-62518 affects the async-tar Rust library and its forks, including tokio-tar.
- This flaw can lead to remote code execution via file overwriting and nested TAR archive smuggling.
- The issue stems from parsing inconsistencies between PAX extended headers and ustar headers.
- Tokio-tar is considered abandonware, with the last update in July 2023, and users are urged to switch to astral-tokio-tar version 0.5.6 or later.
- If exploited, attackers could hijack build processes or overwrite configuration files during package installation.
Read More: https://thehackernews.com/2025/10/tarmageddon-flaw-in-async-tar-rust.html