Going public today is CVE-2025-62518, or better known by the name given by the security researchers involved: TARmageddon. The TARmageddon vulnerability affects the popular async-tar Rust library and its various forks like tokio-tar. In turn TARmageddon impacts the uv Python package manager and other users of this library.

Edera made public today their discovery of a critical boundary-parsing bug in the async-tar Rust library and downstream forks like tokio-tar. TARmageddon is rated as a “high” severity bug and can lead to remote code execution through file overwriting attacks.

  • Kissaki@programming.devEnglish
    5·
    2 days ago

    What is the vulnerability, what is the attack vector, and how does it work? The technical context from the linked source Edera

    This vulnerability is a desynchronization flaw that allows an attacker to “smuggle” additional archive entries into TAR extractions. It occurs when processing nested TAR files that exhibit a specific mismatch between their PAX extended headers and ustar headers.

    The flaw stems from the parser’s inconsistent logic when determining file data boundaries:

    1. A file entry has both PAX and ustar headers.
    2. The PAX header correctly specifies the actual file size (size=X, e.g., 1MB).
    3. The ustar header incorrectly specifies zero size (size=0).
    4. The vulnerable tokio-tar parser incorrectly advances the stream position based on the ustar size (0 bytes) instead of the PAX size (X bytes).

    By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive. It then incorrectly interprets the inner archive’s headers as legitimate entries belonging to the outer archive.

    This leads to:

    • File overwriting attacks within extraction directories.
    • Supply chain attacks via build system and package manager exploitation.
    • Bill-of-materials (BOM) bypass for security scanning.