Cybersecurity researchers have disclosed a high severity flaw, codenamed TARmageddon, impacting the popular async-tar Rust library and its forks, including the widely used, though seemingly abandoned, tokio-tar. The vulnerability tracked as CVE-2025-62518 (CVSS score of 8.1), could lead to Remote Code Execution (RCE) under specific conditions.
The Logic Flaw: File Overwriting Risk
The issue, discovered by Edera, stems from inconsistent handling of PAX extended headers and ustar headers when the library determines file data boundaries during archive processing.
In essence, when a TAR archive uses a PAX header to correctly specify the size of a file, the parser can be tricked if the older ustar header incorrectly specifies the size as zero. This mismatch causes the library to misinterpret the file content, leading it to treat the content as legitimate headers for new archive entries.
This inconsistency allows an attacker to "smuggle" extra archives inside the original file data. When a malicious nested TAR archive is processed, it becomes possible to overwrite files within the extraction directory, which is the path to RCE through attacks like replacing configuration files or hijacking build backends.
Abandoned Library Increases Danger
The threat is compounded by the fact that the vulnerable tokio-tar library is considered abandonware, having not been updated since July 2023 despite being heavily downloaded. Users of this library are strongly advised to migrate to the astral-tokio-tar fork, which has released version 0.5.6 to specifically address this flaw.
This incident underscores that even Rust, a language known for its memory safety guarantees, is susceptible to logic bugs like this parsing inconsistency. Researchers emphasize that developers must remain vigilant against all classes of vulnerabilities, regardless of the programming language they use.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
