{"id":"GHSA-fp55-jw48-c537","summary":"astral-tokio-tar is Vulnerable to PAX Header Desynchronization","details":"### Impact\n\nVersions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.\n\nSee GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.\n\n### Patches\n\nVersions 0.6.1 and newer of astral-tokio-tar address this differential.\n\n### Workarounds\n\nUsers are advised to upgrade to version 0.6.1 or newer to address this advisory.\n\nThere is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.\n\n### Resources\n\n- GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug\n\n### Attribution\n\n- Reporter: Adam Harvey (@lawngnome)","aliases":["RUSTSEC-2026-0112"],"modified":"2026-05-08T11:14:21.865560323Z","published":"2026-05-06T17:26:12Z","related":["CGA-8qgm-prvx-jwwr"],"database_specific":{"github_reviewed":true,"cwe_ids":["CWE-20","CWE-843"],"github_reviewed_at":"2026-05-06T17:26:12Z","severity":"MODERATE","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-fp55-jw48-c537"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fp55-jw48-c537"},{"type":"PACKAGE","url":"https://github.com/astral-sh/tokio-tar"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2026-0112.html"}],"affected":[{"package":{"name":"astral-tokio-tar","ecosystem":"crates.io","purl":"pkg:cargo/astral-tokio-tar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.6.1"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.6.0","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fp55-jw48-c537/GHSA-fp55-jw48-c537.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"}]}