On October 21, 2025, security researchers disclosed details for CVE-2025-62518, a vulnerability in systems and applications that rely on the async-tar library and its derivatives for TAR archive parsing. The library is a Rust-based implementation for reading and writing TAR archives in asynchronous environments, and it is widely used in cloud-native and containerized applications.
The flaw allows threat actors to overwrite files during extraction due to how certain Rust libraries parse TAR archives. Exploitation requires crafting a TAR archive with conflicting headers, which is technically feasible but not trivial. Successful exploitation also depends on the target system using a vulnerable Rust library and processing untrusted TAR files without additional validation. However, successful exploitation can ultimately lead to remote code execution and does not require prior authentication. The CVSS version 3.1 score for the flaw is 8.1 out of 10, and it’s rated with High severity.
The vulnerability affects any system or build environment that processes or extracts untrusted `.tar` or `.tgz` files via Rust libraries. This is because `.tgz` files are gzip-compressed `.tar` archives. When a `.tgz` file is decompressed, the embedded `.tar` content is parsed, potentially triggering the flaw. The gzip layer does not mitigate the issue, it only compresses the archive.
CVE-2025-62518 affects Rust-based tools, CI/CD pipelines, container build systems, and cloud platforms that handle untrusted archives. The issue has been remediated through targeted patches in actively maintained forks:
Unmaintained forks, particularly tokio-tar, remain vulnerable and are unsafe to deploy.
The vulnerability has broad implications across several layers of the software supply chain, particularly for software vendors, DevOps teams, cloud-native platforms, and package distribution networks. The vulnerability is not limited to a specific application but extends to any environment where these libraries are used to extract archive files, particularly in automated or developer-facing infrastructure.
Systems built with or relying on asynchronous archive handling - especially for CI/CD, packaging, and containerization - are at risk until they migrate to patched forks. The flaw also exposes a significant software supply chain security gap due to the abandonment and replication of unmaintained code in popular open-source projects.
Although the need for targeted archive crafting and specific application behavior lowers the likelihood of widespread exploitation, this flaw could ultimately lead to a full system compromise.
Organizations using these libraries are advised to upgrade to the latest patched versions as soon as possible. Where upgrades are not feasible, restricting TAR archive inputs to trusted sources and validating archive contents before extraction can reduce exposure.
Security teams are encouraged to audit dependencies for use of async-tar or its forks, and assess exposure in build systems, deployment pipelines, and container orchestration environments. Security teams are also encouraged to monitor for unexpected file changes or archive anomalies.