GHSA-xx64-wwv2-hcqq

ADVISORY - github

Summary

Impact

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

Patches

Versions 0.6.1 and newer of astral-tokio-tar use fs::symlink_metdata rather than fs::metadata, avoiding the traversal.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

Resources

GHSA-j4xf-2g29-59ph for the original tar vulnerability

Attribution

Reporter: Adam Harvey (@lawngnome)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-61⁠

UNIX Symbolic Link (Symlink) Following

Impacted images

Advisories

GitHub

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY IDGHSA-xx64-wwv2-hcqq⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-61⁠

CVSS SCORE

2.7low

RustSec

CREATED

16 days ago

UPDATED

14 days ago

ADVISORY IDRUSTSEC-2026-0113⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

3 days ago

UPDATED

3 days ago

ADVISORY ID

CGA-9x29-c5cx-9r8f

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

5 days ago

UPDATED

5 days ago

ADVISORY ID

MINI-wwpg-3227-phxw

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY