VYPR

Tokio Tar

by Astral Sh

Source repositories

CVEs (3)

  • CVE-2025-62518HigOct 21, 2025
    risk 0.46cvss 8.1epss 0.01

    astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When…

  • CVE-2025-59825MedSep 23, 2025
    risk 0.33cvss epss 0.00

    astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the…

  • CVE-2026-32766MedMar 20, 2026
    risk 0.27cvss 5.3epss 0.00

    astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building…