2405382 – (CVE-2025-62518) CVE-2025-62518 astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization

Bug 2405382 (CVE-2025-62518) - CVE-2025-62518 astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header Desynchronization

Summary: CVE-2025-62518 astral-tokio-tar: astral-tokio-tar Vulnerable to PAX Header De...

Keywords:
Status:	NEW
Alias:	CVE-2025-62518
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2405468 2405469 2405470 2405471 2405472 2405473 2405474 2405475 2405476
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-21 17:01 UTC by OSIDB Bzimport
Modified:	2025-10-21 20:38 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-21 17:01:22 UTC

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.

Note You need to log in before you can comment on or make changes to this bug.