Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks, including tokio-tar, that could result in remote code execution under certain conditions.
The vulnerability, tracked as CVE-2025-62518 (CVSS score: 8.1), has been codenamed TARmageddon by Edera, which discovered the issue in late August 2025. It impacts several widely-used projects, such as testcontainers and wasmCloud.
“In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends,” the Seattle-based security company said.
The problem is compounded by the fact that tokio-tar is essentially abandonware despite attracting thousands of downloads via crates.io. Tokio-tar is a Rust library for asynchronously reading and writing TAR archives built atop the Tokio runtime for the programming language. The Rust crate was last updated on July 15, 2023.
In the absence of a patch for tokio-tar, users relying on the library are advised to migrate to astral-tokio-tar, which has released version 0.5.6 to remediate the flaw.
“Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling,” Astral developer William Woodruff said in an alert.
“When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate TAR headers.”
The issue, in a nutshell, is the result of inconsistent handling when handling PAX extended headers and ustar headers when determining file data boundaries. PAX, short for portable archive interchange, is an extended version of the USTAR format used to store properties of member files in a TAR archive.
The mismatch between a PAX extended headers and ustar headers – where the PAX header correctly specifies the file size, whereas the ustar header incorrectly specifies the file size as zero (instead of the PAX size) – leads to a parsing inconsistency, causing the library to interpret the inner content as additional outer archive entries.
“By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive,” Edera explained. “It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive.”
As a result, an attacker could exploit this behavior to “smuggle” extra archives when the library is processing nested TAR files, thereby making it possible to overwrite files within extraction directories, ultimately paving the way for arbitrary code execution.
In a hypothetical attack scenario, an attacker could upload a specially-crafted package to PyPI such that the outer TAR contains a legitimate pyproject.toml, whereas the hidden inner TAR contains a malicious one that hijacks the build backend and overwrites the actual file during installation.
“While Rust’s guarantees make it significantly harder to introduce memory safety bugs (like buffer overflows or use-after-free), it does not eliminate logic bugs – and this parsing inconsistency is fundamentally a logic flaw,” Edera said. “Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used.”
