CVE-2025-62518— astral-tokio-tar Vulnerable to PAX Header Desynchronization

CVSS 8.1 · High EPSS 0.02% · P5 Updated Oct 22, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-62518

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

astral-tokio-tar Vulnerable to PAX Header Desynchronization

Source: NVD (National Vulnerability Database)

Vulnerability Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

使用不兼容类型访问资源(类型混淆)

Source: NVD (National Vulnerability Database)

Vulnerability Title

astral-tokio-tar 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

astral-tokio-tar是Astral开源的一个Rust库。 astral-tokio-tar 0.5.6之前版本存在安全漏洞，该漏洞源于边界解析不一致，可能导致解释文件内容为合法tar标头。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
astral-sh	tokio-tar	< 0.5.6	-

II. Public POCs for CVE-2025-62518

#	POC Description	Source Link	Shenlong Link
1	CVE-2025-62518: TARmageddon	https://github.com/edera-dev/cve-tarmageddon	POC Details
2	None	https://github.com/AirineiAndrei/Tarmageddon-CVE-2025-62518-	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-62518

请登录查看更多情报信息。

GitHub - edera-dev/cve-tarmageddon: CVE-2025-62518: TARmageddonx_refsource_MISC
PAX Header Desynchronization in astral-tokio-tar · Advisory · astral-sh/tokio-tar · GitHubx_refsource_CONFIRM
https://nvd.nist.gov/vuln/detail/CVE-2025-62518

IV. Related Vulnerabilities

Same product: tokio-tar

Same vendor: astral-sh

Same weakness: CWE-843

V. Comments for CVE-2025-62518

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-62518— astral-tokio-tar Vulnerable to PAX Header Desynchronization

I. Basic Information for CVE-2025-62518

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-62518

III. Intelligence Information for CVE-2025-62518

IV. Related Vulnerabilities

V. Comments for CVE-2025-62518

Leave a comment