Skip to content

`unpack_in` can chmod arbitrary directories by following symlinks

Low
woodruffw published GHSA-xx64-wwv2-hcqq Apr 27, 2026

Package

cargo astral-tokio-tar (Rust)

Affected versions

<= 0.6.0

Patched versions

0.6.1

Description

Impact

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

Patches

Versions 0.6.1 and newer of astral-tokio-tar use fs::symlink_metdata rather than fs::metadata, avoiding the traversal.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

References

Attribution

Severity

Low

CVE ID

No known CVE

Weaknesses

UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. Learn more on MITRE.

Credits