TARmageddon: Remote Code Execution Vulnerability Found in Abandoned Rust Library
A critical vulnerability, dubbed TARmageddon and tracked as CVE-2025-62518, has been discovered in the async-tar library for Rust and its forks—including the widely used tokio-tar. The flaw allows unauthenticated attackers to execute arbitrary code remotely by exploiting a logic error in how the library processes TAR archives.
A Desynchronization Bug with Dangerous Consequences
Researchers from Edera, who discovered the issue, describe TARmageddon as a desynchronization bug that occurs when the library processes nested TAR archives containing mismatched ustar and PAX extended headers.
During unpacking, the parser mistakenly treats file content as header data, leading to the unintended extraction of attacker-controlled files. This allows a remote attacker to inject additional entries into an archive and potentially overwrite files on the target system.
In the context of software supply chain attacks, such a flaw could be exploited to replace configuration files or compromise build environments, granting attackers the ability to execute arbitrary commands on systems that rely on affected libraries.
Scope of Impact
The most alarming aspect of CVE-2025-62518 is its reach. While the original async-tar project is long abandoned, its fork tokio-tar also inactive has over 7 million downloads on crates.io, making it a de facto standard dependency across numerous Rust projects.
Edera warns that the true extent of exposure is difficult to determine due to the fragmented ecosystem and the proliferation of unmaintained forks.
“Because of the ubiquitous use of tokio-tar in various forms, it is impossible to precisely assess the radius of impact beforehand,” Edera researchers wrote. “Although some forks have been patched, the extremely popular tokio-tar remains unpatched.”
Affected Projects
According to Edera, TARmageddon impacts several high-profile open-source projects, including:
- Binstalk
- Astral’s uv (Python package manager)
- wasmCloud platform
- liboxen
- testcontainers library
The list is likely incomplete, as many projects indirectly depend on tokio-tar through nested dependencies.
Coordination Challenges
Edera’s disclosure process highlights ongoing challenges in the Rust ecosystem’s security communication practices.
Neither async-tar nor tokio-tar provided a SECURITY.md file or any public contact information for vulnerability reporting.
Researchers ultimately had to use community outreach and social engineering to identify and reach responsible maintainers.
As a result:
- async-tar and astral-tokio-tar have received security patches
- tokio-tar, despite its popularity, remains unpatched and abandoned
Some dependent projects have already begun removing the vulnerable library or migrating to safer forks, while others have not responded or may be unaware of their exposure.
Recommended Mitigation
Edera strongly urges all developers to:
- Remove dependencies on tokio-tar immediately
- Upgrade to a patched fork such as astral-tokio-tar, which remains actively maintained
They also caution against the growing confusion caused by overlapping forks. To minimize ecosystem fragmentation, Edera will archive its own fork, krata-tokio-tar, after disclosure.
“Our goal is not to introduce yet another fork, but to encourage consolidation around secure and supported implementations,” Edera said.
Analysis
The TARmageddon vulnerability underscores a systemic problem in modern open-source ecosystems: abandoned dependencies that remain deeply embedded across software supply chains.
When widely used libraries like tokio-tar are left unmaintained, even a single logic error can cascade across thousands of projects—turning forgotten code into a potential entry point for remote compromise.
For developers and maintainers alike, the takeaway is clear: monitor your dependencies, audit for abandoned packages, and ensure that every link in the chain—no matter how small—remains under active stewardship.
