"Researchers at Edera say they have uncovered a critical boundary-parsing bug, dubbed TARmageddon ( CVE-2025-62518), in the popular async-tar Rust library. And not only is it in this library, but also in its many forks, including the widely used tokio-tar. "In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends," the researchers say in a report."
"The first recommended action is to patch all active forks, since this vulnerability impacts major, widely-used projects, the researchers say, including uv (Astral's Python package manager), testcontainers, and wasmCloud. "Due to the widespread nature of tokio-tar in various forms, it is not possible to truly quantify upfront the blast radius of this bug across the ecosystem," they say. To make things worse, the researchers warn, the highly downloaded tokio-tar remains unpatched, probably because it's no longer actively maintained."
A critical boundary-parsing bug named TARmageddon (CVE-2025-62518) affects the async-tar Rust library and numerous forks, including tokio-tar. The vulnerability can reach severity 8.1 (High) and enable remote code execution through file-overwriting attacks that replace configuration files or hijack build backends. The flaw also enables supply-chain propagation across dependent applications. Several widely used projects are impacted, including uv (Astral's Python package manager), testcontainers, and wasmCloud. Tokio-tar remains unpatched and likely unmaintained. Developers should patch active forks and migrate to patched forks such as astral-tokio-tar v0.5.6 or later. IT teams should scan Rust applications for exposure.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]