CNNVD-202509-3643 Information
CNNVD ID
CNNVD-202509-3643
Related CVE
- CNNVD Published: 2025-09-23
Description (Chinese)
astral-tokio-tar是Astral开源的一个Rust库。 astral-tokio-tar 0.5.3及之前版本存在安全漏洞,该漏洞源于Entry_unpack_in_raw API存在路径遍历问题,且Entry_allow_external_symlinks控制可被绕过,可能导致任意文件写入和代码执行。
Description (English)
Astral-tokio-tar is a Rust bank, an open source of Astral. Astral-tokio-tar 0.5.3 and earlier versions have security loopholes, which stem from the problem of the path of Entry unpack in raw API, and the control of Entry allow external symlinks can be bypassed, which may lead to any file writing and code execution.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
AstrBot
Published
2025-09-23
Last Modified
2026-02-24
References
https://github.com/astral-sh/uv/issues/12163 https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3wgq-wrwc-vqmv https://github.com/astral-sh/tokio-tar/commit/036fdecc85c52458ace92dc9e02e9cef90684e75 https://vigilance.fr/vulnerability/Rust-astral-tokio-tar-directory-traversal-via-Entry-unpack-in-raw-48376 https://access.redhat.com/security/cve/cve-2025-59825
Patch
https://github.com/astral-sh/tokio-tar/releases
Share on: