2 matches found
CVE-2025-59825
CVE-2025-59825 affects astral-tokio-tar (Rust) up to v0.5.3: tar extraction can escape the target dir via Entry::unpack_in_raw and via a symlink pair that bypasses allow_external_symlinks, potentially enabling arbitrary file writes and code execution. The issue is fixed in v0.5.4; upgrading is re...
CVE-2025-59825
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpackinraw API. Additionally, the Entry::allowexternalsymlinks control which...