A high-severity vulnerability, tracked as CVE-2025-62518 and codenamed TARmageddon, was discovered in the async-tar Rust library and its numerous forks, including tokio-tar, astral-tokio-tar, krata-tokio-tar, and others. The flaw, which carries a CVSS score of 8.1, allows for remote code execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends. The vulnerability stems from inconsistent handling of PAX extended headers and ustar headers when determining file data boundaries, specifically when processing archives with PAX-extended headers containing size overrides. This parsing error enables attackers to smuggle additional archive entries by exploiting the mismatch, causing the parser to interpret file content as legitimate TAR headers. The async-tar library and its forks are widely used in critical tools and environments, including the uv Python package manager, testcontainers, and wasmCloud, amplifying the potential impact of the flaw. The most popular fork, tokio-tar, has over 5 million downloads on crates.io but is no longer maintained, increasing the risk as users may not receive timely patches. Edera, the security company that discovered the vulnerability in August 2025, highlighted the systemic risk posed by the open-source abandonware crisis, as the bug was inherited by a deep lineage of forks after the original project became unmaintained. Edera created and distributed patches for active forks, with astral-tokio-tar releasing version 0.5.6 to remediate the issue. However, users of unmaintained forks like tokio-tar are advised to migrate to patched alternatives such as astral-tokio-tar. The vulnerability's discovery underscores the challenges in tracking and patching security flaws in widely forked and abandoned open-source projects. The flaw's presence in foundational libraries for async archive processing in the Rust ecosystem means that build systems and production environments across many organizations could be at risk. Security experts warn that the lack of visibility into the use of these libraries further complicates mitigation efforts. The incident has reignited discussions about the need for better maintenance and oversight of critical open-source infrastructure. Organizations relying on affected libraries are urged to assess their exposure and implement available patches or migrate to maintained alternatives immediately. The coordinated disclosure and patching efforts by Edera aimed to minimize the window of exploitation before public announcement. This event highlights the importance of proactive vulnerability management and the risks associated with relying on unmaintained open-source components.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On 2025-10-21, Edera publicly disclosed CVE-2025-62518, assigning it a CVSS score of 8.1 and warning that widespread forking and poor dependency visibility could amplify impact. Public reporting highlighted the risk to build systems and production environments from inherited vulnerabilities in abandoned open-source code.
On 2025-08-22, Edera produced patches and began a decentralized remediation effort to get fixes into active forks and downstream projects before public disclosure. The issue was reported as affecting projects including tokio-tar and the uv package manager.
On 2025-08-21, Edera identified a high-severity boundary-parsing logic flaw in the abandoned Rust async-tar codebase. The vulnerability, later dubbed TARmageddon, could enable file overwrites leading to remote code execution and was found to affect forks and downstream consumers.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
thecyberexpress.com
Open sourcego.theregister.com
Open sourcethehackernews.com
Open sourcesecurityaffairs.com
Open sourcecsoonline.com
Open sourcecyberscoop.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.