TARmageddon Flaw in Async-Tar Rust Library Allows Remote Code Execution

A critical vulnerability has been discovered in the Async-Tar Rust library, a popular tool for reading and writing tar archives. The bug, dubbed TARmageddon, could allow remote attackers to execute malicious code on vulnerable systems.

What is TARmageddon?

TARmageddon is a boundary parsing vulnerability in the Async-Tar library that can be exploited by an attacker to smuggle additional archive entries into the extraction process. The vulnerability occurs when processing archives with PAX-extended headers containing size overrides, causing the parser to incorrectly advance the stream position based on the ustar header size (often zero) instead of the PAX-specified size.

The bug creates a desynchronization bug in async-tar/tokio-tar that allows an attacker to "smuggle" files from a nested TAR into the outer extraction. This can lead to serious security risks, including remote code execution, file-overwrite during extraction, supply-chain poisoning, and bypassing security scanners or bill-of-materials checks.

Exploitation Scenarios

In practical attack scenarios, the vulnerability can be exploited in several ways:

A malicious Python package that replaces build backends can cause Remote Code Execution (RCE) during installation.
Poisoned container image layers can inject files into test environments.
Canners can approve an outer TAR while the vulnerable extractor pulls hidden, unscanned files from an inner TAR.

The Impact of TARmageddon

The discovery of TARmageddon highlights that Rust is not a silver bullet for eliminating all types of vulnerabilities. While Rust's guarantees make it harder to introduce memory safety bugs like buffer overflows or use-after-free, they do not eliminate logic bugs.

"The parsing inconsistency caused by the mismatched header handling creates stream misalignment, enabling hidden payloads in nested TARs and serious supply-chain and deployment risks," concludes the report. "Developers must remain vigilant against all classes of vulnerabilities, regardless of the language used."

The Fix

Async-Tar library versions prior to 0.5.6 contain the TARmageddon vulnerability. The fix is available in version 0.5.6 and later.

CVE-2025-62518: A Critical Vulnerability to Watch

The vulnerability has been assigned a CVSS score of 8.1, indicating its high severity and potential impact on systems that use the Async-Tar library.

Stay Safe Online

If you're using the Async-Tar library in your projects, make sure to update to version 0.5.6 or later to avoid this vulnerability. Additionally, stay informed about security updates and patches for your dependencies to protect yourself against emerging threats.

Stay up-to-date with the latest security news and alerts by following us on Twitter (@securityaffairs), Facebook, and Mastodon.

HACKER_BLOG

TARMAGEDDON FLAW IN ASYNC-TAR RUST LIBRARY ALLOWS TO SMUGGLE EXTRA ARCHIVES WHEN THE LIBRARY IS PROCESSING NESTED TAR FILES