Abandoned Rust Library Flaw Sparks RCE Attack Risk
▼ Summary
– A high-severity vulnerability (CVE-2025-62518) in the abandoned async-tar Rust library and its forks enables remote code execution on unpatched systems.
– This logic flaw, called TARmageddon, allows unauthenticated attackers to inject archive entries during TAR file extraction due to desynchronization from mismatched headers.
– The vulnerability affects widely used projects like tokio-tar, which has over 7 million downloads and remains unpatched despite active forks being fixed.
– Exploitation can lead to supply chain attacks by overwriting configuration files and hijacking build backends, with an unquantifiable impact across the ecosystem.
– Developers are advised to upgrade to patched versions, switch to the astral-tokio-tar fork, or remove the vulnerable dependency immediately.
A newly identified security vulnerability within the abandoned async-tar Rust library and its derivatives poses a serious threat, potentially enabling remote code execution on systems that have not been updated. Designated as CVE-2025-62518, this logic flaw stems from a desynchronization problem during TAR archive extraction. Attackers can exploit this issue without needing authentication to insert extra archive entries.
The vulnerability, named TARmageddon by the cybersecurity firm Edera, becomes active when nested TAR files contain mismatched ustar and PAX extended headers. This mismatch confuses the parser, causing it to misinterpret file content as archive headers. As a result, malicious files provided by an attacker can be extracted, allowing them to overwrite critical system files. Such actions could lead to supply chain attacks where configuration files are altered or build backends are hijacked.
This security weakness impacts not just the original async-tar library but also tokio-tar, a widely used fork with over seven million downloads on crates.io. Unfortunately, both of these projects are no longer maintained. Although active forks have received patches, Edera points out that accurately assessing the vulnerability’s full impact is challenging. The extensive use of tokio-tar across many projects makes it difficult to measure the potential damage across the software ecosystem.
Edera emphasized that the highly downloaded tokio-tar remains unpatched, underscoring a significant systemic issue. The TARmageddon flaw affects numerous prominent projects, including Binstalk, Astral’s uv Python package manager, the wasmCloud universal application platform, liboxen, and the open-source testcontainers library. While some projects contacted by Edera have committed to removing the vulnerable dependency or switching to a secure fork, others have not responded. Many additional projects that were not directly notified are likely still using the compromised code.
Developers are strongly advised to upgrade to a patched version or completely remove the vulnerable tokio-tar dependency from their projects. For those relying on tokio-tar, switching to the actively maintained astral-tokio-tar fork is the recommended course of action. To prevent further confusion in the ecosystem, Edera’s own async-tar fork, krata-tokio-tar, will be archived. Taking these steps is essential to protect applications from potential exploitation.
(Source: Bleeping Computer)
