""In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends,""
""Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling,""
""When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate TAR headers.""
A high-severity TAR parsing vulnerability (CVE-2025-62518, TARmageddon) affects async-tar and forks, enabling remote code execution via file-overwrite attacks. The flaw has a CVSS score of 8.1 and can allow attackers to replace configuration files or hijack build backends. The root cause is inconsistent handling of PAX extended headers and ustar headers: PAX size overrides are ignored while stream position advances based on ustar header size, causing file data to be misinterpreted as TAR headers. Tokio-tar appears unmaintained; affected users should migrate to astral-tokio-tar 0.5.6, which contains a remediation. Testcontainers and wasmCloud are among impacted projects.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]