astral-tokio-tar

High-severity parsing flaw in async-tar and forks could enable file overwrite and RCE

News, Research, Risk, Vendors, Vulnerabilities

October 22, 2025

A boundary parsing flaw in async-tar and forks including tokio-tar, tracked as CVE-2025-62518 and dubbed TARmageddon, can allow nested TARs to be treated as outer entries and be used to overwrite files and enable remote code execution; users are advised to migrate to astral-tokio-tar v0.5.6.