Miggo Logo
Miggo Vulnerability Database
CVE-2025-59825

CVE-2025-59825: astral-tokio-tar has a path traversal in tar extraction

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-59825
GHSA ID
GHSA-3wgq-wrwc-vqmv
EPSS Score
0.0403%
CWE
CWE-22
Published
9/23/2025
Updated
9/23/2025
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
astral-tokio-tarrust<= 0.5.30.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, identified as GHSA-3wgq-wrwc-vqmv, is a path traversal issue in the astral-tokio-tar Rust crate. The root cause is the improper handling of symlinks within tar archives, which allows an attacker to write files outside the intended extraction directory. This could lead to arbitrary file writes and potential remote code execution.

The analysis of the fixing commit, 036fdecc85c52458ace92dc9e02e9cef90684e75, pinpoints the flaw to the unpack_in_raw method within the EntryFields struct in src/entry.rs. This function contained weak validation logic for symlink destinations, which was bypassed by specially crafted paths containing .. sequences. Furthermore, it was susceptible to a TOCTOU attack, where a directory's path could be validated and cached before a subsequently unpacked symlink alters the file system hierarchy.

The patch addresses these issues by:

  1. Replacing the flawed normalize_absolute and normalize_relative helper functions with a single, more robust normalize function that correctly handles path components.
  2. Implementing stricter checks within EntryFields::unpack_in_raw to ensure that the fully resolved path of a symlink does not fall outside the target extraction directory.
  3. Clearing a memoization cache of directory paths whenever a symlink is encountered to prevent the TOCTOU bypass.

The primary vulnerable function is EntryFields::unpack_in_raw, as it contains the flawed unpacking logic. The public-facing API Entry::unpack_in is also identified as a key runtime indicator because it is the function that developers use and which directly calls the vulnerable internal method. Therefore, both functions are critical for detecting exploitation of this vulnerability in a runtime environment.

Vulnerable functions

EntryFields::unpack_in_raw
src/entry.rs
This is the core function responsible for unpacking tar entries. The vulnerability lies in its insufficient validation of symlink paths. The original implementation allowed a crafted tar archive to create symlinks pointing outside the intended extraction directory, leading to a path traversal vulnerability. The function also had a TOCTOU (Time-of-Check-to-Time-of-Use) flaw where a directory's validity could be checked before a symlink modifies the path. The patch replaces the flawed validation with robust path normalization and adds a mechanism to clear a directory cache when symlinks are encountered.
Entry::unpack_in
src/entry.rs
This is the primary public API function used to unpack a tar entry into a specified directory. It serves as the entry point for the vulnerability by processing a potentially malicious tar entry and passing it to the internal `EntryFields::unpack_in_raw` function, which contained the path traversal flaw. A runtime profile or stack trace during exploitation would show this function being called.

WAF Protection Rules

WAF Rule

### Imp**t In v*rsions *.*.* *n* **rli*r o* *str*l-tokio-t*r, t*r *r**iv*s m*y *xtr**t outsi** o* t**ir int*n*** **stin*tion *ir**tory w**n usin* t** `*ntry::unp**k_in_r*w` *PI. ***ition*lly, t** `*ntry::*llow_*xt*rn*l_symlinks` *ontrol (w*i** ****u

Reasoning

T** vuln*r**ility, i**nti*i** *s **S*-*w*q-wrw*-vqmv, is * p*t* tr*v*rs*l issu* in t** `*str*l-tokio-t*r` Rust *r*t*. T** root **us* is t** improp*r **n*lin* o* symlinks wit*in t*r *r**iv*s, w*i** *llows *n *tt**k*r to writ* *il*s outsi** t** int*n**