A critical flaw has been identified in a Rust library that demands immediate attention from developers and IT decision-makers leveraging the Rust ecosystem. The vulnerability, tracked as CVE‑2025‑62518, exposes serious remote code execution (RCE) risks in the widely used async tar library ecosystem.
The root of the problem lies in a boundary-parsing error within a key Rust component. The library at the center is the async-tar “family” of crates: the original async‑tar library and its many forks, including the popular tokio‑tar and astral‑tokio‑tar. According to vulnerability listings, versions of astral-tokio-tar before 0.5.6 contain the flaw. NVD records confirm it was published on October 21, 2025.
Researchers at Edera dubbed the vulnerability “TARmageddon” and described it as a boundary-parsing bug in a Rust library that can lead to RCE via file overwriting attacks, such as replacing configuration files or hijacking build back-ends.
Technical Overview of the CVE‑2025‑62518 Vulnerability
The issue lies in the inconsistent handling of PAX and ustar headers during TAR-file extraction in the affected Rust library. In some TAR archives, a PAX header may indicate a file size (say X bytes), while the accompanying ustar header incorrectly indicates zero bytes.
The vulnerable library uses the ustar size (zero) when advancing the stream, failing to skip over the actual file data of the nested archive. As a result, the parser misaligns and treats headers of the nested archive as entries in the outer archive. This misalignment allows for:
- File-overwriting attacks during extraction
- Supply-chain poisoning via build systems or package managers
- Bypassing security scanners or manifest checks by hiding nested archives
In one example scenario, an attacker crafts a malicious archive such that during extraction via the vulnerable Rust library (in a build or CI system), the hidden inner TAR injects or overwrites files unexpectedly, potentially giving the attacker remote code execution (RCE) privileges.
Scope & affected ecosystem
Because tokio-tar has over 5 million downloads and has been used widely (often as an indirect dependency), the blast radius is large. Projects known to be impacted include uv (a Python package manager), testcontainers, and wasmCloud.
The complexity is worsened by the fact that the most popular fork (tokio‐tar) appears to be unmaintained (“abandonware”), meaning the fix cannot simply be pushed upstream and inherited automatically.
Disclosure timeline
The vulnerability disclosure followed a non-standard, decentralized process because of the upstream abandonment. Key dates:
- August 21, 2025: Bug discovered by Edera and a minimal repro built.
- August 22: Patches created and initial disclosures made to library maintainers and select downstream users under a 60-day embargo (ending October 21).
- September 2: Acknowledgment from the upstream async-tar project.
- October 21, 2025: Public release of advisory and patches.
Conclusion
Organizations using the affected Rust library should act quickly to address CVE-2025-62518, a high-severity RCE vulnerability in the async-tar ecosystem. The safest step is to upgrade to astral-tokio-tar version 0.5.6 or later or migrate away from unmaintained forks like tokio-tar.
If immediate patching isn’t possible, apply mitigations such as sandboxed extraction, file-size limits, and post-extraction scans, and review dependencies for indirect exposure. The TARmageddon flaw highlights that even Rust’s strong safety features can’t prevent logic bugs.
