CNNVD-202510-2734 Information
CNNVD ID
CNNVD-202510-2734
Related CVE
- CNNVD Published: 2025-10-21
Description (Chinese)
astral-tokio-tar是Astral开源的一个Rust库。 astral-tokio-tar 0.5.6之前版本存在安全漏洞,该漏洞源于边界解析不一致,可能导致解释文件内容为合法tar标头。
Description (English)
Astral-tokio-tar is a Rust bank, an open source of Astral. There was a security loophole in the previous version of astral-tokio-tar 0.5.6, which stemmed from inconsistent border resolution, which could lead to an explanation that the document contained legitimate tarheads.
Hazard Level
Medium
Vulnerability Type
其他
Affected Vendor
Astral
Published
2025-10-21
Last Modified
2026-02-24
References
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318 https://edera.dev/stories/tarmageddon https://github.com/edera-dev/cve-tarmageddon https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9 https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx https://vigilance.fr/vulnerability/Rust-astral-tokio-tar-file-read-write-via-PAX-Header-Desynchronization-48637
Patch
https://github.com/astral-sh/tokio-tar/releases
Share on: