Vulnerability in Alexcrichton Tar-rs

CVE-2026-33056

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Becau…

EPSS: 0.000 (5.5th percentile) — read the EPSS interpretation.

Affected products

Alexcrichton Tar-rs — versions < 0.4.45

Weakness classification (CWE)

CWE-61 — UNIX Symbolic Link (Symlink) Following

References

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph (x_refsource_CONFIRM)
https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446 (x_refsource_MISC)