GHSA-fp55-jw48-c537
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fp55-jw48-c537
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fp55-jw48-c537/GHSA-fp55-jw48-c537.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fp55-jw48-c537
- Aliases
- Downstream
- Related
- Published
- 2026-05-06T17:26:12Z
- Modified
- 2026-05-08T11:14:21.865560323Z
- Severity
-
- 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- astral-tokio-tar is Vulnerable to PAX Header Desynchronization
- Details
-
Impact
Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.
See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.
Patches
Versions 0.6.1 and newer of astral-tokio-tar address this differential.
Workarounds
Users are advised to upgrade to version 0.6.1 or newer to address this advisory.
There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.
Resources
- GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug
Attribution
- Reporter: Adam Harvey (@lawngnome)
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-06T17:26:12Z", "cwe_ids": [ "CWE-20", "CWE-843" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
crates.io / astral-tokio-tar
Package
- Name
- astral-tokio-tar
- View open source insights on deps.dev
- Purl
- pkg:cargo/astral-tokio-tar