Medium: rust-cargo-c

Issue Overview: tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size...

Amazon Linux 2023 : cargo-c (ALAS2023-2026-1566)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1566 advisory. tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As par...

Amazon Linux 2023 : cargo, clippy, rust (ALAS2023-2026-1568)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1568 advisory. A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most likely impact from a successful attack is to data integrity, by the...

tar-rs incorrectly ignores PAX size headers if header size is nonzero

Summary As part of CVE-2025-62518 the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. However, it was missed at the time that this project the original Rust tar crate had a conditional logic that skipped the PAX siz...

GHSA-GCHP-Q4R4-X4FF tar-rs incorrectly ignores PAX size headers if header size is nonzero

Summary As part of CVE-2025-62518 the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. However, it was missed at the time that this project the original Rust tar crate had a conditional logic that skipped the PAX siz...

tar-rs incorrectly ignores PAX size headers if header size is nonzero

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518astral-cve, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the...

SUSE: Security Advisory (SUSE-SU-2026:20077-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Exploit for CVE-2025-62518

Tarmageddon CVE-2025-62518https://nvd.nist.gov/vuln/detail/...

Fedora: Security Advisory (FEDORA-2025-4154ea83d0)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 41 : openapi-python-client / python-uv-build / ruff / etc (2025-43a0bff5ea)

The remote Fedora 41 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2025-43a0bff5ea advisory. uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for...

Fedora: Security Advisory (FEDORA-2025-43a0bff5ea)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Linux Distros Unpatched Vulnerability : CVE-2025-62518

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability...

python311-uv-0.9.5-1.1 on GA media (moderate)

python311-uv-0.9.5-1.1 on GA media Announcement ID: openSUSE-SU-2025:15658-1 Rating: moderate Cross-References: CVE-2025-62518 CVSS scores: CVE-2025-62518 SUSE : 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-62518 SUSE : 5.1...

CVE-2025-62518 vulnerabilities

Vulnerabilities for packages: pixi...

TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution

Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks, including tokio-tar, that could result in remote code execution under certain conditions. The vulnerability, tracked as CVE-2025-62518 CVSS score: 8.1, has been...

CVE-2025-62518

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives...

CVE-2025-62518

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives...

apple-opensource-downloader (=0.1.0), async_bagit (>=0.1.0 <=0.2.0) +11 more potentially affected by CVE-2025-62518 via tokio-tar (=0.3.1)

tokio-tar CARGO version =0.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on tokio-tar and may be impacted: - apple-opensource-downloader =0.1.0 - asyncbagit =0.1.0, =0.1.8, =0.8.0, =0.2.0, =0.1.0, =0.2.5, =0.4.0, =0.6.0, =0.12.0, =0.1.0,...

CVE-2025-62518

creationtimestamp| type| source ---|---|--- 2025-10-21 14:28:10+00:00| published-proof-of-concept| https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx 2025-10-21 15:18:29+00:00| seen| https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3m3pmuuj7k6y2...

apple-opensource-downloader (=0.1.0), async_bagit (>=0.1.0 <=0.2.0) +11 more potentially affected by CVE-2025-62518 via tokio-tar (=0.3.1)

tokio-tar CARGO version =0.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on tokio-tar and may be impacted: - apple-opensource-downloader =0.1.0 - asyncbagit =0.1.0, =0.1.8, =0.8.0, =0.2.0, =0.1.0, =0.2.5, =0.4.0, =0.6.0, =0.12.0, =0.1.0,...