CVE-2025-62518
BaseFortify
Publication date: 2025-10-21
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| astral | tokio-tar | 0.5.5 |
| python | uv | 0.9.4 |
| python | uv | 0.9.5 |
| astral | tokio-tar | 0.5.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the astral-tokio-tar library versions prior to 0.5.6. It is a boundary parsing issue where the library incorrectly handles PAX-extended headers with size overrides. Specifically, when processing such archives, the parser advances the stream position based on the ustar header size (often zero) instead of the PAX-specified size. This causes the parser to misinterpret file content as legitimate tar headers, allowing attackers to smuggle additional archive entries.
How can this vulnerability impact me? :
This vulnerability can allow attackers to smuggle additional archive entries into tar files, potentially leading to unauthorized file extraction or manipulation. Because the parser misinterprets file content as headers, it may cause security issues such as data integrity compromise or unauthorized access to files within the archive. The CVSS score indicates high confidentiality and integrity impact, meaning sensitive data could be exposed or altered.
What immediate steps should I take to mitigate this vulnerability?
Update the astral-tokio-tar library to version 0.5.6 or later, as this version contains the patch for the boundary parsing vulnerability. There are no workarounds available.