Skip to content

PAX Header Desynchronization in astral-tokio-tar

Moderate
woodruffw published GHSA-fp55-jw48-c537 Apr 27, 2026

Package

cargo astral-tokio-tar (Rust)

Affected versions

<= 0.6.0

Patched versions

0.6.1

Description

Impact

Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.

Patches

Versions 0.6.1 and newer of astral-tokio-tar address this differential.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.

References

Attribution

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. Learn more on MITRE.

Credits