2397706 – (CVE-2025-59825) CVE-2025-59825 astral-tokio-tar: astral-tokio-tar path traversal

Bug 2397706 (CVE-2025-59825) - CVE-2025-59825 astral-tokio-tar: astral-tokio-tar path traversal

Summary: CVE-2025-59825 astral-tokio-tar: astral-tokio-tar path traversal

Keywords:
Status:	NEW
Alias:	CVE-2025-59825
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2397714 2397715 2397717 2397719 2397720 2397721
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-23 21:01 UTC by OSIDB Bzimport
Modified:	2025-09-23 21:58 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-23 21:01:30 UTC

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.

Note You need to log in before you can comment on or make changes to this bug.