GHSA-fp55-jw48-c537

ADVISORY - github

Summary

Impact

Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.

Patches

Versions 0.6.1 and newer of astral-tokio-tar address this differential.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.

Resources

GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug

Attribution

Reporter: Adam Harvey (@lawngnome)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-20⁠

Improper Input Validation

CWE-843⁠

Access of Resource Using Incompatible Type ('Type Confusion')

Impacted images

Advisories

GitHub

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY IDGHSA-fp55-jw48-c537⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠CWE-843⁠

CVSS SCORE

6.6medium

RustSec

CREATED

16 days ago

UPDATED

14 days ago

ADVISORY IDRUSTSEC-2026-0112⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

3 days ago

UPDATED

3 days ago

ADVISORY ID

CGA-8qgm-prvx-jwwr

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

5 days ago

UPDATED

5 days ago

ADVISORY ID

MINI-gqjq-54cq-p5v6

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY