GHSA-3cv2-h65g-fgmm

ADVISORY - rustsec

Summary

Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

Common Weakness Enumeration (CWE)

Impacted images

Advisories

RustSec

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY IDRUSTSEC-2026-0145⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Package	Type	OS Name	OS Version	Affected Ranges	Fix Versions
astral-tokio-tar	cargo	-	-	<0.6.2	0.6.2

Severity and metrics

No CVSS data available from this advisory.