Going public today is CVE-2025-62518, or better known by the name given by the security researchers involved: TARmageddon. The TARmageddon vulnerability affects the popular async-tar Rust library and its various forks like tokio-tar. In turn TARmageddon impacts the uv Python package manager and other users of this library.
Edera made public today their discovery of a critical boundary-parsing bug in the async-tar Rust library and downstream forks like tokio-tar. TARmageddon is rated as a “high” severity bug and can lead to remote code execution through file overwriting attacks.
Yes, this high severity vulnerability with remote code execution (RCE) vector happened even with the code being written in the Rust programming language that is typically promoted for its memory safety guarantees.
Making this issue even more of a headache for those relying on these libraries is that tokio-tar is effectively abandoned without upstream maintenance. In turn Edera organized with decentralized patching of key downstream forks. They coordinated with Binstalk, opa-wasm, and other projects for patching.
Those wishing to learn more about this TARmageddon vulnerability can do so via the Edera.dev blog.
