Vulnerability in Alexcrichton Tar-rs

CVE-2026-33055

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar proje…

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

Affected products

Alexcrichton Tar-rs — versions < 0.4.45

Weakness classification (CWE)

CWE-843 — Access of Resource Using Incompatible Type (Type Confusion)

References

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff (x_refsource_CONFIRM)
https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946 (x_refsource_MISC)
https://www.cve.org/CVERecord?id=CVE-2025-62518 (x_refsource_MISC)