logo

Database

Lack of data validation - Path Traversal In astral-tokio-tar

Description

astral-tokio-tar: unpack_in can chmod arbitrary directories by following symlinks

Impact

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

Patches

Versions 0.6.1 and newer of astral-tokio-tar use fs::symlink_metdata rather than fs::metadata, avoiding the traversal.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

Resources

    GHSA-j4xf-2g29-59ph for the original tar vulnerability

Attribution

    Reporter: Adam Harvey (@lawngnome)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-xx64-wwv2-hcqq2. GCVE-GHSA-xx64-wwv2-hcqq

References

1. https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-xx64-wwv2-hcqq2. https://rustsec.org/advisories/RUSTSEC-2026-0113.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.