A critical boundary-parsing bug in async-tar and forks enables file-overwrite remote code execution, affecting widely used tokio-tar and many Rust projects.
A header-parsing flaw in async-tar lets attackers smuggle files in tar archives, enabling overwrites and supply-chain attacks; popular fork tokio-tar remains unpatched.