CVE-2025-59825
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-09-24

Assigner: GitHub, Inc.

Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-09-24
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59825
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
astral tokio-tar 0.5.4
uv uv 0.6.6
astral tokio-tar 0.5.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the astral-tokio-tar library (version 0.5.3 and earlier) used for reading and writing tar archives asynchronously in Rust. It allows tar archives to extract files outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the security control Entry::allow_external_symlinks, which is meant to prevent extraction outside the target directory, can be bypassed using a pair of symlinks that individually point inside the destination but together point outside. This can lead to arbitrary file writes and potentially allow an attacker to execute code.

Impact Analysis

If you use astral-tokio-tar version 0.5.3 or earlier to extract tar archives, an attacker could craft a malicious tar archive that exploits this vulnerability to write files outside the intended directory. This could lead to unauthorized file overwrites and potentially allow the attacker to execute arbitrary code on your system, compromising its security.

Mitigation Strategies

The only mitigation is to upgrade astral-tokio-tar to version 0.5.4 or later, as there is no workaround other than upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart