Directory Traversal Affecting rust-astral-tokio-tar package, versions <0.5.5-1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIANUNSTABLE-RUSTASTRALTOKIOTAR-13045612
- published25 Sept 2025
- disclosed23 Sept 2025
Introduced: 23 Sep 2025
NewCVE-2025-59825 (opens in a new tab)How to fix?
Upgrade Debian:unstable rust-astral-tokio-tar to version 0.5.5-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-astral-tokio-tar package and not the rust-astral-tokio-tar package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.