Overview
- Edera disclosed CVE-2025-62518, a high-severity async-tar parsing flaw (CVSS 8.1) that can enable remote code execution through file overwriting.
- The defect is a logic error in handling PAX and ustar headers that lets nested TAR entries be misread as new files, enabling hidden payloads to overwrite targets.
- Projects using affected forks include the uv Python package manager, testcontainers and wasmCloud, raising supply-chain and build-system risk.
- Patches are available for maintained forks such as astral-tokio-tar v0.5.6 and updated async-tar versions, but the widely used tokio-tar crate remains unfixed and appears abandoned.
- Edera found the issue on August 21, coordinated fixes, and advises migrating to patched libraries and auditing indirect dependencies that BOM or security scanners may miss.