{"id":5509,"date":"2025-10-22T23:57:00","date_gmt":"2025-10-22T23:57:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5509"},"modified":"2025-10-22T23:57:00","modified_gmt":"2025-10-22T23:57:00","slug":"serious-vulnerability-found-in-rust-library","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5509","title":{"rendered":"Serious vulnerability found in Rust library"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Developers creating projects in the Rust programming language, as well as IT leaders with Rust-based applications in their environments, should pay attention to a serious vulnerability found in one of the programming language\u2019s libraries.<\/p>\n<p>Researchers at Edera say they have uncovered a critical boundary-parsing bug, dubbed TARmageddon (<a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-62518\" target=\"_blank\" rel=\"noopener\">CVE-2025-62518<\/a>), in the popular\u00a0<em>async-tar<\/em>\u00a0Rust library. And not only is it in this library, but also in its many forks, including the widely used\u00a0<em>tokio-tar<\/em>.<\/p>\n<p>\u201cIn the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends,\u201d <a href=\"https:\/\/edera.dev\/stories\/tarmageddon\" target=\"_blank\" rel=\"noopener\">the researchers say in a report. <\/a>Among the other possible impacts is the spread of the infection via applications, also known as a supply chain attack.<\/p>\n<p>The first recommended action is to patch all active forks, since this vulnerability impacts major, widely-used projects, the researchers say, including <em>uv<\/em> (Astral\u2019s Python package manager),\u00a0<em>testcontainers<\/em>, and\u00a0<em>wasmCloud<\/em>. \u201cDue to the widespread nature of\u00a0<em>tokio-tar<\/em>\u00a0in various forms, it is not possible to truly quantify upfront the blast radius of this bug across the ecosystem,\u201d they say.<\/p>\n<p>To make things worse, the researchers warn, the highly downloaded\u00a0<em>tokio-tar<\/em>\u00a0remains unpatched, probably because it\u2019s no longer actively maintained.<\/p>\n<p>Edera suggests that developers who rely on <em>tokio-tar<\/em> consider migrating to an actively maintained fork such as\u00a0<em>astral-tokio-tar<\/em> version 0.5.6 or later, which has been patched.<\/p>\n<p>IT leaders also need to scan their applications to see if any were developed in Rust and are at risk.<\/p>\n<h2 class=\"wp-block-heading\">Why is it critical?<\/h2>\n<p>TAR files are used in Unix and Linux systems for bundling multiple directories and files into an archive file that retains the full directory structure and metadata of the original information, explains Robert Beggs, head of Canadian incident response firm DigitalDefence. Archive files are commonly used in backups, or for packing software for purposes such as distributing source code.<\/p>\n<p>Because of the way in which particular versions of the TAR libraries have been written, a potential vulnerability exists, he said in an email to <em>CSO<\/em>, noting,\u00a0 \u201cIn the worst case, it would allow an attacker to execute arbitrary code on a host system and engage in malicious actions, such as overwriting critical files (configuration files, build scripts), or gaining unauthorized filesystem access.\u201d\u00a0Exploitation could also result in the compromise of any system that extracts files from the malicious TAR.\u00a0\u00a0<\/p>\n<p>\u201cThe vulnerability is especially serious because the vulnerable TAR libraries are often present as part of applications that are not actively maintained, and may be missed when patching or otherwise mitigating the issue,\u201d he added.<\/p>\n<p>While there are as yet no known exploits of this vulnerability, Beggs said that can change quickly.\u00a0\u201cIt is a high severity vulnerability\u00a0 \u2014 8.1 on a scale of 1 to 10 \u2013,\u201d he pointed out, \u201cso it will likely attract the attention of attackers.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Recommendations<\/h2>\n<p>He recommends infosec leaders:\u00a0<\/p>\n<p>audit code to identify dependencies for forks or wrappers of <em>tokio-tar <\/em>and ensure that they are also patched<\/p>\n<p>review usage of TAR files in continuous integration\/continuous deployment environments as well as containers, and ensure that they are patched;<\/p>\n<p>isolate (sandbox) archives when processing, and avoid extracting TAR files from untrusted sources;<\/p>\n<p>continue to monitor for possible exploits or further vulnerabilities associated with the library.<\/p>\n<p>Admins may also be interested in <a href=\"https:\/\/github.com\/astral-sh\/tokio-tar\/security\/advisories\/GHSA-j5gw-2vrg-8fgx\" target=\"_blank\" rel=\"noopener\">this advisory explaining the problem<\/a> created by Astral Security, which maintains <em>astral-tokio-tar<\/em>.<\/p>\n<p>The bug was discovered in July and disclosed that month to maintainers of all libraries, the Rust Foundation, and a certain number of projects. It was agreed details wouldn\u2019t be released until this week.<\/p>\n<p>Because the most popular fork (<em>tokio-tar<\/em>, with over 5 million downloads on crates.io) appears to be no longer actively maintained, Edera co-ordinated a decentralized disclosure across the complex fork lineage.<\/p>\n<h2 class=\"wp-block-heading\">Possible consequences<\/h2>\n<p>The vulnerability is a desynchronization flaw that allows an attacker to \u2018smuggle\u2019 additional archive entries into TAR extractions, says Edera. It occurs when processing nested TAR files that exhibit a specific mismatch between their PAX extended headers and ustar headers. The flaw stems from the parser\u2019s inconsistent logic when determining file data boundaries.<\/p>\n<p>Among the possible infection scenarios painted by Edera are<\/p>\n<p>an attack on Python package managers using <em>tokio-tar<\/em>. An attacker uploads a malicious package to the open source PyPI repository, from which developers download useful utilities. The package\u2019s outer TAR container has a legitimate file but the hidden inner TAR contains a malicious one that hijacks the build backend. This hidden inner TAR introduces unexpected or overwritten files, which compromises the test environment and pollutes the supply chain;<\/p>\n<p>an attack on any system with separate \u2018scan\/approve\u2019 phases. \u00a0A security scanner analyzes the outer, clean TAR and approves its limited file set. However, the extraction process using the vulnerable library pulls in additional, unapproved, and unscanned files from the inner TAR, resulting in a security control bypass and policy violation.<\/p>\n<p>Rust developers say the language allows the creation of memory-safe applications, but, say Edera researchers, \u201cthe discovery of TARmageddon is an important reminder that Rust is not a silver bullet.\u201d<\/p>\n<p>\u201cIt does not eliminate logic bugs,\u201d the report points out, \u201cand this parsing inconsistency is fundamentally a logic flaw. Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used.\u201d<\/p>\n<p>The report is also a reminder of the hazards of relying on unmaintained open source libraries in code.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Developers creating projects in the Rust programming language, as well as IT leaders with Rust-based applications in their environments, should pay attention to a serious vulnerability found in one of the programming language\u2019s libraries. Researchers at Edera say they have uncovered a critical boundary-parsing bug, dubbed TARmageddon (CVE-2025-62518), in the popular\u00a0async-tar\u00a0Rust library. And not only [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5510,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5509","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5509"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5509"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5509\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5510"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}