PAX Header Desynchronization in astral-tokio-tar
| Details |
|
| Package |
astral-tokio-tar |
| Version |
0.6.0 |
| URL |
GHSA-3cv2-h65g-fgmm |
| Date |
2026-05-18 |
| Patched versions |
>=0.6.2 |
Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.
See advisory page for additional details.
astral-tokio-tar0.6.0>=0.6.2Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.
See advisory page for additional details.