CVE-2025-59825: astral-tokio-tar has a path traversal in tar extraction
N/A
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| astral-tokio-tar | rust | <= 0.5.3 | 0.5.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability, identified as GHSA-3wgq-wrwc-vqmv, is a path traversal issue in the astral-tokio-tar Rust crate. The root cause is the improper handling of symlinks within tar archives, which allows an attacker to write files outside the intended extraction directory. This could lead to arbitrary file writes and potential remote code execution.
The analysis of the fixing commit, 036fdecc85c52458ace92dc9e02e9cef90684e75, pinpoints the flaw to the unpack_in_raw method within the EntryFields struct in src/entry.rs. This function contained weak validation logic for symlink destinations, which was bypassed by specially crafted paths containing .. sequences. Furthermore, it was susceptible to a TOCTOU attack, where a directory's path could be validated and cached before a subsequently unpacked symlink alters the file system hierarchy.
The patch addresses these issues by:
- Replacing the flawed
normalize_absoluteandnormalize_relativehelper functions with a single, more robustnormalizefunction that correctly handles path components. - Implementing stricter checks within
EntryFields::unpack_in_rawto ensure that the fully resolved path of a symlink does not fall outside the target extraction directory. - Clearing a memoization cache of directory paths whenever a symlink is encountered to prevent the TOCTOU bypass.
The primary vulnerable function is EntryFields::unpack_in_raw, as it contains the flawed unpacking logic. The public-facing API Entry::unpack_in is also identified as a key runtime indicator because it is the function that developers use and which directly calls the vulnerable internal method. Therefore, both functions are critical for detecting exploitation of this vulnerability in a runtime environment.
Vulnerable functions
EntryFields::unpack_in_rawsrc/entry.rs
Entry::unpack_insrc/entry.rs