VYPR
High severity8.1OSV Advisory· Published Oct 21, 2025· Updated Apr 15, 2026

CVE-2025-62518

CVE-2025-62518

Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
astral-tokio-tarcrates.io
< 0.5.60.5.6
tokio-tarcrates.io
<= 0.3.1

Affected products

11

Patches

Vulnerability mechanics

References

7

News mentions

1