
tokio-tar, a Rust async TAR library with over 5 million crates.io downloads, has a high-severity remote code execution vulnerability — and no patch is coming. The maintainer abandoned it in 2023. Security researchers at Edera disclosed CVE-2025-62518 (dubbed TARmageddon) this week, and the blast radius hits more than just Rust projects: Astral’s uv Python package manager, testcontainers, and wasmCloud are all in the fire. If you’re using any of these, stop and read this first.
What’s the Bug?
TAR archives support two header formats: PAX (extended) and ustar (legacy). When a file entry has both, and they disagree on file size, tokio-tar trusts the wrong one. If the PAX header says the file is 1MB but the ustar header says zero bytes, the parser advances zero bytes through the stream instead of skipping the full file data. The parser then walks straight into the next header — which is the start of a nested inner archive — and treats those entries as legitimate outer-archive entries.
The attacker’s job is to craft a malicious TAR with this exact mismatch. When your code extracts it, smuggled entries get written to disk. Those entries can overwrite config files, build scripts, or binaries. Overwrite ~/.cargo/config.toml or a CI build script and you own the next build. That’s your RCE. CVSS score: 8.1 (High). Edera’s full technical disclosure includes a proof-of-concept.
Who’s Affected
The original bug lived in async-tar and propagated to every fork in its family tree. tokio-tar is the most downloaded fork, with 5 million+ installs, and it has been unmaintained since July 2023. Beyond tokio-tar itself, three major projects were confirmed affected:
- uv — Astral’s Python package manager uses tokio-tar internally for archive handling. Astral forked it as
astral-tokio-tarand has already shipped the fix. - testcontainers — The Rust integration testing library used to spin up Docker containers in tests.
- wasmCloud — The cloud-native WebAssembly runtime used in distributed systems and serverless workloads.
If you run cargo tree | grep tokio-tar and see anything, you have work to do.
Fix It Now
tokio-tar will not be patched. The fix is to replace it with astral-tokio-tar, which addressed CVE-2025-62518 in version 0.5.6. The migration is a one-line Cargo.toml change:
# Remove this:
tokio-tar = "0.22"
# Add this:
astral-tokio-tar = "0.5.6"
Verify with these commands:
# Detect tokio-tar in your dependency tree
cargo tree | grep tokio-tar
# Flag CVE-2025-62518 and other known vulnerabilities
cargo audit
If you’re a uv user, update to the latest release (June 26, 2026 or later) — Astral bundled astral-tokio-tar v0.6.3+ with additional hardening beyond the minimum CVE fix. Check testcontainers and wasmCloud release notes for their updated dependency versions. The RustSec advisory database lists this and other known Rust crate vulnerabilities.
The Bigger Problem
“Rust is memory-safe” has become a security comfort blanket, and it shouldn’t be. Memory safety eliminates buffer overflows, use-after-free bugs, and data races. It does not eliminate logic errors. The parser in tokio-tar chose the wrong header value to determine file size — that’s a logic mistake, not a memory mistake. The borrow checker was never going to catch it.
The same applies to supply chain risk. No type system protects you when your dependency is abandoned and carrying an unpatched RCE. The ecosystem dependency on volunteer maintainers means “popular” and “maintained” are two different things — and crates.io doesn’t surface that distinction clearly enough. Running cargo audit and reviewing your dependency tree for unmaintained crates should be as routine as writing tests. CVE-2025-62518 is a good reminder that it’s not optional.













