A critical vulnerability has been discovered in Rust’s popular async-tar library, raising concerns for developers and IT teams using Rust-based applications. Researchers at Edera have identified a boundary-parsing flaw, dubbed TARmageddon (CVE-2025-62518), that exists not only in async-tar but also in its many forks, including tokio-tar, which is widely used across the Rust ecosystem. The bug allows malicious actors to perform file overwriting attacks that could lead to Remote Code Execution (RCE).
The researchers warn that the vulnerability has a high severity rating of 8.1, with potential impacts ranging from overwriting critical configuration files to hijacking build pipelines. Additionally, infected TAR files could be propagated through applications, creating supply chain risks that might compromise numerous downstream projects. The issue is particularly alarming because many of the affected forks, including tokio-tar, remain unpatched and inactive, leaving a significant portion of the Rust ecosystem exposed.
To mitigate the risk, Edera recommends patching all active forks of the TAR libraries. For developers using tokio-tar, a suggested alternative is migrating to astral-tokio-tar version 0.5.6 or later, which has been patched. IT leaders are also urged to scan Rust-based applications in their environments to identify potential exposure, especially since TAR files are commonly used for packaging software and backups, meaning compromised libraries could affect multiple systems.
Experts highlight the critical nature of this flaw due to the fundamental role of TAR files in Unix and Linux environments. Compromised libraries could allow attackers to execute arbitrary code, overwrite essential files, or gain unauthorized filesystem access. Because vulnerable libraries often exist within unmaintained projects, the risk of exploitation increases. While no known attacks have been reported yet, security professionals stress that the high severity rating makes it a likely target for malicious actors in the near future.