Researchers uncover remote code execution flaw in abandoned Rust code library | CyberScoop<\/title> <meta name=\"description\" content=\"The high-severity defect affects a widely used \u2014 but largely hidden \u2014 archive tool that spans many forks.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/async-tar-rust-open-source-vulnerability\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers uncover remote code execution flaw in abandoned Rust code library\"> <meta property=\"og:description\" content=\"The high-severity defect affects a widely used \u2014 but largely hidden \u2014 archive tool that spans many forks.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/async-tar-rust-open-source-vulnerability\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-21T20:25:07+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-21T20:25:10+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1761070183g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86438\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86438\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fasync-tar-rust-open-source-vulnerability%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fasync-tar-rust-open-source-vulnerability%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86438 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/async-tar-rust-open-source-vulnerability\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.295454545455\">\n<div class=\"single-article__header-content\" readability=\"34.299212598425\">\n<p> The high-severity defect affects a widely used \u2014 but largely hidden \u2014 archive tool that spans many forks. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86438\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"480\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library.jpg?resize=640%2C480&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg 8164w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=300,225 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=768,576 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=1024,768 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=1536,1152 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=2048,1536 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=600,450 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=224,168 224w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=449,337 449w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=900,675 900w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-2.jpg?resize=1124,843 1124w\" sizes=\"(max-width: 900px) 100vw, 900px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.131809338521\"><body readability=\"90.645179216449\"><\/p>\n<p>Security specialists at Edera discovered and <a href=\"https:\/\/edera.dev\/stories\/tarmageddon\">disclosed a high-severity vulnerability<\/a> in an early and since-abandoned code for an open-source async tar archive library for the Rust programming language. <\/p>\n<p>Researchers warned that potential exploitation, which allows for remote code execution, could bear major impacts due to widespread forking and a lack of visibility into the code\u2019s use. <\/p>\n<p>\u201cGiven its presence in critical, widely-deployed tools like the uv package manager, the potential impact on build systems and production environments across many companies is substantial,\u201d Alex Zenla, chief technology officer and co-founder at Edera, told CyberScoop in an email.<\/p>\n<p>The boundary-parsing vulnerability \u2014 <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-62518\">CVE-2025-62518<\/a>, which has a CVSS rating of 8.1 \u2014 affects the async-tar Rust library and many forks, including tokio-tar, the Python package manager uv, testcontainers, wasmCloud, astral-tokio-tar and krata-tokio-tar. The most-popular fork \u2014 tokio-tar \u2014 has more than 5 million downloads on crates.io and is no longer maintained, according to Edera.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis vulnerability is a textbook case of the open-source abandonware crisis. The original bug was introduced in an early version of the code that was then repeatedly forked as the original project became unmaintained,\u201d Zenla said. <\/p>\n<p>\u201cThe bug was replicated across a deep lineage of these forks,\u201d she added. \u201cWhen one project stops maintaining code, the bug gets inherited by the entire downstream family, creating a systemic risk that\u2019s incredibly difficult to track and patch efficiently.\u201d<\/p>\n<p>Edera discovered the vulnerability during a development push on its internal platforms Aug. 21. The cybersecurity company created patches the next day and worked to get the fixes into as many active forks and open-source projects as possible before it publicly disclosed the defect Tuesday.<\/p>\n<p>Zenla said tokio-tar and its forks are the foundation for async archive processing across the Rust ecosystem. These tar archives are fundamental for distribution, presenting a vast scope of potential impact, she added. <\/p>\n<p>\u201cThe most concerning part is the unawareness,\u201d Zenla said. \u201cThis vulnerable code is often an indirect dependency, buried deep in a build tool or container pipeline. Most end-users or businesses don\u2019t even know they are running it, which is why public disclosure is a critical remediation step.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Attackers can exploit the vulnerability and achieve remote code execution through file overwriting, according to Edera. The defect is not a complex memory corruption issue, but rather a logic flaw and considered easy to exploit, Zenla said. <\/p>\n<p>Rust is widely acknowledged as a more secure programming language because it eliminates memory safety vulnerabilities that are common in C and C++. Yet, CVE-2025-62518, which Edera dubbed \u201cTARmageddon,\u201d proves that no language is completely secure and safer languages are still susceptible to human errors, Zenla said. <\/p>\n<p>The defect also serves as another reminder of the risks lurking in open-source code, particularly when the chain of responsibility breaks as original versions are abandoned or no longer maintained. <\/p>\n<p>\u201cThis meant we couldn\u2019t just submit one patch upstream. We had to engage in a difficult, decentralized disclosure \u2014 tracking down and coordinating with multiple active forks and downstream consumers to ensure the patch was applied everywhere,\u201d Zenla said. <\/p>\n<p>\u201cWhen a project is truly abandoned, responsibility becomes a messy, manual, and highly inefficient process for the ecosystem to resolve.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.498046875\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/async-tar-rust-open-source-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers uncover remote code execution flaw in abandoned Rust code<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4539,78,5245,1073,256,5246,310,2281,703,2390,2759],"tags":[4542,86,5247,1076,262,5248,311,2283,705,2394,2760],"class_list":["post-8096","post","type-post","status-publish","format-standard","hentry","category-containers","category-cybersecurity","category-edera","category-open-source","category-research","category-rust","category-technology","category-vulnerability","category-vulnerability-disclosure","category-vulnerability-management","category-vulnerability-reporting","tag-containers","tag-cybersecurity","tag-edera","tag-open-source","tag-research","tag-rust","tag-technology","tag-vulnerability","tag-vulnerability-disclosure","tag-vulnerability-management","tag-vulnerability-reporting"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/containers\/\" rel=\"category tag\">Containers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/edera\/\" rel=\"category tag\">Edera<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rust\/\" rel=\"category tag\">Rust<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability\/\" rel=\"category tag\">vulnerability<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-management\/\" rel=\"category tag\">Vulnerability Management<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-reporting\/\" rel=\"category tag\">vulnerability reporting<\/a>","tag_info":"vulnerability reporting","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8096"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8096\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8096,"date":"2025-10-21T15:25:07","date_gmt":"2025-10-21T20:25:07","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86438"},"modified":"2025-10-21T15:25:07","modified_gmt":"2025-10-21T20:25:07","slug":"researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/21\/researchers-uncover-remote-code-execution-flaw-in-abandoned-rust-code-library\/","title":{"rendered":"Researchers uncover remote code execution flaw in abandoned Rust code library"},"content":{"rendered":"