logo

Database

Insecure object reference In astral-tokio-tar

Description

astral-tokio-tar is Vulnerable to PAX Header Desynchronization

Impact

Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.

Patches

Versions 0.6.1 and newer of astral-tokio-tar address this differential.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.

Resources

    GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug

Attribution

    Reporter: Adam Harvey (@lawngnome)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-fp55-jw48-c5372. GCVE-GHSA-fp55-jw48-c537

References

1. https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-fp55-jw48-c5372. https://rustsec.org/advisories/RUSTSEC-2026-0112.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.