Critical Vulnerability Information Vulnerability Overview Vulnerability Name: PAX Header Desynchronization in astral-tokio-tar CVE ID: CVE-2025-62518 CVSS v3 Base Score: 8.1/10 Severity: High Affected and Fixed Versions Affected Versions: <= 0.5.5 Fixed Versions: 0.5.6 Vulnerability Description Issue: astral-tokio-tar contains a boundary parsing vulnerability when processing tar files with PAX extended headers. When handling archives with inconsistent PAX/ustar header processing, the parser incorrectly advances the stream position based on the ustar header size (typically zero) rather than the size specified by PAX, causing file content to be misinterpreted as a valid tar header. Root Cause: The PAX header correctly specifies the file size, while the ustar header does not properly indicate a zero size, leading tokio-tar to advance the stream position based on the ustar size (0 bytes). Attack Mechanism Condition: When a tar file contains external entries with PAX but ustar , and the file data begins with a valid tar header structure, the parser interprets the internal content as additional external entries, resulting in header/data desynchronization. Solution Recommended Upgrade: Upgrade to version 0.5.6 or higher Timeline Discovery Date: August 21, 2025 Initial Analysis and PoC Confirmation: August 21, 2025 Maintainer Notification: August 22, 2025 Private Patch and Test Suite Sharing: August 25, 2025 Text Freeze: October 7, 2025 Coordinated Public Disclosure and Patch Release: October 21, 2025 References Edera Blog Post Technical Reproduction Repository