Path Traversal in Astral-sh Tokio-tar

CVE-2025-59825

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

Affected products

Astral-sh Tokio-tar — versions < 0.5.4

Weakness classification (CWE)

References

https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3wgq-wrwc-vqmv (x_refsource_CONFIRM)
https://github.com/astral-sh/uv/issues/12163 (x_refsource_MISC)
https://github.com/astral-sh/tokio-tar/commit/036fdecc85c52458ace92dc9e02e9cef90684e75 (x_refsource_MISC)