A severe vulnerability in the async-tar Rust library and its popular forks, including the widely used tokio-tar. Dubbed TARmageddon and tracked as CVE-2025-62518, the bug carries a CVSS score of 8.1, classifying it as high severity.
It allows attackers to manipulate TAR archive parsing, potentially overwriting critical files like configuration scripts and triggering remote code execution (RCE) in affected systems.
According to Edra, the flaw stems from a boundary-parsing error that mishandles nested TAR files, especially when PAX extended headers conflict with ustar headers.
In vulnerable versions, the parser skips over actual file data based on a misleading zero-byte size in the ustar header, while ignoring the correct size in the PAX header.
This desynchronization lets hidden entries from inner archives “smuggle” into the outer extraction, overwriting files in the target directory.
Major projects like Astral’s uv Python package manager, testcontainers for container testing, and wasmCloud are at risk, with the vulnerability’s reach extending across millions of downloads due to tokio-tar’s ubiquity in the Rust ecosystem.
Navigating The Maze Of Abandoned Forks
Disclosing and patching TARmageddon proved unusually complex because tokio-tar, the most downloaded fork with over 5 million crates.io pulls, appears abandoned, with no active maintainers, no SECURITY.md file, and scant contact info.
Edera coordinated a decentralized effort across the fork lineage: from the root async-tar to tokio-tar, then to their own krata-tokio-tar (now archived) and Astral’s actively maintained astral-tokio-tar.
Researchers developed patches for the active forks, shared them under a 60-day embargo starting August 21, 2025, and reached out to downstream projects like binstalk and opa-wasm.
While Astral swiftly integrated the fix into uv and their fork, responses from others were mixed; some planned to drop the dependency, while uncontacted users remain exposed.
The original tokio-tar and async-tar lack patches, forcing users to migrate manually. Edera urges immediate upgrades to patched versions or removal of the dependency, with astral-tokio-tar as the recommended alternative.
The patch enforces PAX header priority for size checks, validates header consistency, and adds boundary safeguards to prevent misalignment.
For those unable to switch quickly, workarounds include using the synchronous tar crate or runtime checks like manifest validation and sandboxed extractions.
Attackers could exploit TARmageddon in devious ways. In one scenario, a malicious PyPI package uses an outer TAR with a benign pyproject.toml, but a nested inner TAR overwrites it with a rogue build backend, executing code during installation on developer or CI machines.
Container frameworks like testcontainers risk poisoning test environments by extracting tainted image layers, introducing backdoors. Security scanners might approve a “clean” outer archive, only for extraction to pull in unscanned malware, bypassing bill-of-materials checks.
This incident underscores Rust’s limits: while it thwarts memory bugs, logic flaws like this persist in unmaintained code.
The 60-day timeline from discovery on August 21 to coordinated release on October 21 highlights the inefficiencies of fork-heavy ecosystems.
Edera notes their own products dodged impact through defense-in-depth, but the episode calls for better maintenance signals and proactive forking in open source.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
