Access of Resource Using Incompatible Type ('Type Confusion') The advisory has been revoked - it doesn't affect any version of package trustee-guest-components  (opens in a new tab)


Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.69% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS10-TRUSTEEGUESTCOMPONENTS-13653454
  • published22 Oct 2025
  • disclosed21 Oct 2025

Introduced: 21 Oct 2025

CVE-2025-62518  (opens in a new tab)
CWE-843  (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:10.

NVD Description

Note: Versions mentioned in the description apply only to the upstream trustee-guest-components package and not the trustee-guest-components package as distributed by Centos.

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.