CVE-2025-62518

HIGH

astral-tokio-tar < 0.5.6 - Archive Entry Smuggling via PAX Header Size Mismatch

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-62518. PoCs published by edera-dev, adminlove520, AirineiAndrei.

AI-analyzed exploit summary This repository demonstrates CVE-2025-62518, a critical bug in async Rust tar libraries (tokio-tar, async-tar) where PAX extended header size overrides are not applied before calculating the next header position, causing incorrect file extraction. The PoC includes tools to generate repro cases and compare library behavior.

Description

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.

Exploits (3)

nomisec WORKING POC 18 stars
by edera-dev · poc
https://github.com/edera-dev/cve-tarmageddon

This repository demonstrates CVE-2025-62518, a critical bug in async Rust tar libraries (tokio-tar, async-tar) where PAX extended header size overrides are not applied before calculating the next header position, causing incorrect file extraction. The PoC includes tools to generate repro cases and compare library behavior.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: tokio-tar, async-tar, krata-tokio-tar, astral-tokio-tar
No auth needed
Prerequisites: CMake, Rust/Cargo, C++ compiler, system tar command
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-62518

This repository contains a functional proof-of-concept for CVE-2025-62518, demonstrating a PAX header desynchronization vulnerability in tokio-tar and related Rust tar libraries. The exploit leverages inconsistent handling of PAX extended headers to smuggle additional archive entries, leading to arbitrary file extraction.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: tokio-tar (versions prior to 0.5.6), async-tar, krata-tokio-tar, astral-tokio-tar
No auth needed
Prerequisites: untrusted tar archive processing · PAX extended headers with size overrides
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by AirineiAndrei · poc
https://github.com/AirineiAndrei/Tarmageddon-CVE-2025-62518-

This PoC demonstrates CVE-2025-62518, a vulnerability in the `tokio-tar` Rust library where a mismatch in PAX and USTAR header parsing allows file smuggling. The exploit crafts a malicious tar archive that extracts an additional hidden file due to incorrect size handling.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: tokio-tar (versions prior to fix)
No auth needed
Prerequisites: Ability to deliver a malicious tar archive to a target using a vulnerable version of `tokio-tar`
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.1
EPSS 0.0002
EPSS Percentile 4.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-843
Status published
Products (3)
astral-sh/tokio-tar < 0.5.6
crates.io/astral-tokio-tar 0 - 0.5.6crates.io
crates.io/tokio-tar 0crates.io
Published Oct 21, 2025
Tracked Since Feb 18, 2026