Developers creating projects in the Rust programming language, as well as IT leaders with Rust-based applications in their environments, should pay attention to a serious vulnerability found in one of the programming language’s libraries.
Researchers at Edera say they have uncovered a critical boundary-parsing bug, dubbed TARmageddon (CVE-2025-62518), in the popular async-tar Rust library. And not only is it in this library, but also in its many forks, including the widely used tokio-tar.
“In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends,” the researchers say in a report. Among the other possible impacts is the spread of the infection via applications, also known as a supply chain attack.
The first recommended action is to patch all active forks, since this vulnerability impacts major, widely-used projects, the researchers say, including uv (Astral’s Python package manager), testcontainers, and wasmCloud. “Due to the widespread nature of tokio-tar in various forms, it is not possible to truly quantify upfront the blast radius of this bug across the ecosystem,” they say.
To make things worse, the researchers warn, the highly downloaded tokio-tar remains unpatched, probably because it’s no longer actively maintained.
Edera suggests that developers who rely on tokio-tar consider migrating to an actively maintained fork such as astral-tokio-tar version 0.5.6 or later, which has been patched.
IT leaders also need to scan their applications to see if any were developed in Rust and are at risk.
Why is it critical?
TAR files are used in Unix and Linux systems for bundling multiple directories and files into an archive file that retains the full directory structure and metadata of the original information, explains Robert Beggs, head of Canadian incident response firm DigitalDefence. Archive files are commonly used in backups, or for packing software for purposes such as distributing source code.
Because of the way in which particular versions of the TAR libraries have been written, a potential vulnerability exists, he said in an email to CSO, noting, “In the worst case, it would allow an attacker to execute arbitrary code on a host system and engage in malicious actions, such as overwriting critical files (configuration files, build scripts), or gaining unauthorized filesystem access.” Exploitation could also result in the compromise of any system that extracts files from the malicious TAR.
“The vulnerability is especially serious because the vulnerable TAR libraries are often present as part of applications that are not actively maintained, and may be missed when patching or otherwise mitigating the issue,” he added.
While there are as yet no known exploits of this vulnerability, Beggs said that can change quickly. “It is a high severity vulnerability — 8.1 on a scale of 1 to 10 –,” he pointed out, “so it will likely attract the attention of attackers.”
Recommendations
He recommends infosec leaders:
- audit code to identify dependencies for forks or wrappers of tokio-tar and ensure that they are also patched
- review usage of TAR files in continuous integration/continuous deployment environments as well as containers, and ensure that they are patched;
- isolate (sandbox) archives when processing, and avoid extracting TAR files from untrusted sources;
- continue to monitor for possible exploits or further vulnerabilities associated with the library.
Admins may also be interested in this advisory explaining the problem created by Astral Security, which maintains astral-tokio-tar.
The bug was discovered in July and disclosed that month to maintainers of all libraries, the Rust Foundation, and a certain number of projects. It was agreed details wouldn’t be released until this week.
Because the most popular fork (tokio-tar, with over 5 million downloads on crates.io) appears to be no longer actively maintained, Edera co-ordinated a decentralized disclosure across the complex fork lineage.
Possible consequences
The vulnerability is a desynchronization flaw that allows an attacker to ‘smuggle’ additional archive entries into TAR extractions, says Edera. It occurs when processing nested TAR files that exhibit a specific mismatch between their PAX extended headers and ustar headers. The flaw stems from the parser’s inconsistent logic when determining file data boundaries.
Among the possible infection scenarios painted by Edera are
- an attack on Python package managers using tokio-tar. An attacker uploads a malicious package to the open source PyPI repository, from which developers download useful utilities. The package’s outer TAR container has a legitimate file but the hidden inner TAR contains a malicious one that hijacks the build backend. This hidden inner TAR introduces unexpected or overwritten files, which compromises the test environment and pollutes the supply chain;
- an attack on any system with separate ‘scan/approve’ phases. A security scanner analyzes the outer, clean TAR and approves its limited file set. However, the extraction process using the vulnerable library pulls in additional, unapproved, and unscanned files from the inner TAR, resulting in a security control bypass and policy violation.
Rust developers say the language allows the creation of memory-safe applications, but, say Edera researchers, “the discovery of TARmageddon is an important reminder that Rust is not a silver bullet.”
“It does not eliminate logic bugs,” the report points out, “and this parsing inconsistency is fundamentally a logic flaw. Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used.”
The report is also a reminder of the hazards of relying on unmaintained open source libraries in code.