Cybersecurity experts have identified a significant vulnerability in the widely-used async-tar Rust library and its derivatives, notably tokio-tar. This flaw, designated as CVE-2025-62518 with a CVSS score of 8.1, has been dubbed TARmageddon by the security firm Edera, which uncovered the issue in late August 2025. The vulnerability poses a risk of remote code execution (RCE) under specific conditions, affecting prominent projects like testcontainers and wasmCloud.
Edera’s analysis indicates that, in severe cases, the vulnerability can lead to RCE through file overwriting attacks. This could involve replacing configuration files or commandeering build backends, thereby compromising system integrity.
The situation is further complicated by the status of tokio-tar, which, despite its popularity and thousands of downloads from crates.io, has not been actively maintained. Tokio-tar is a Rust library designed for asynchronous reading and writing of TAR archives, built on the Tokio runtime. The last update to this crate was on July 15, 2023.
In light of the absence of a patch for tokio-tar, users are advised to transition to astral-tokio-tar. This alternative has addressed the vulnerability in its version 0.5.6 release. William Woodruff, a developer at Astral, highlighted that versions prior to 0.5.6 contain a boundary parsing vulnerability. This flaw allows attackers to insert additional archive entries by exploiting inconsistent handling of PAX and ustar headers.
The core of the issue lies in the inconsistent processing of PAX extended headers and ustar headers when determining file data boundaries. PAX, an extension of the USTAR format, is used to store properties of files within a TAR archive. A discrepancy arises when a PAX extended header correctly specifies the file size, but the corresponding ustar header incorrectly lists the file size as zero. This inconsistency leads the library to misinterpret the inner content as additional entries in the outer archive.
Edera explains that by advancing zero bytes, the parser fails to skip over the actual file data, which may be a nested TAR archive. Consequently, it encounters the next valid TAR header at the start of the nested archive and incorrectly interprets these inner headers as legitimate entries of the outer archive.
This vulnerability enables attackers to smuggle extra archives during the processing of nested TAR files. This can lead to the overwriting of files within extraction directories, potentially resulting in arbitrary code execution.
For instance, an attacker could upload a specially-crafted package to PyPI. In this scenario, the outer TAR contains a legitimate pyproject.toml file, while a hidden inner TAR contains a malicious version. During installation, this malicious file could overwrite the actual file, hijacking the build backend.
Edera emphasizes that while Rust’s design significantly reduces the likelihood of memory safety issues like buffer overflows or use-after-free errors, it does not eliminate logical errors. This parsing inconsistency is fundamentally a logic flaw, underscoring the need for developers to remain vigilant against all classes of vulnerabilities, regardless of the programming language used.
