-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, identified as GHSA-3wgq-wrwc-vqmv, is a path traversal issue in the astral-tokio-tar Rust crate. The root cause is the improper handling of symlinks within tar archives, which allows an attacker to write files outside the intended extraction directory. This could lead to arbitrary file writes and potential remote code execution.
The analysis of the fixing commit, 036fdecc85c52458ace92dc9e02e9cef90684e75, pinpoints the flaw to the unpack_in_raw method within the EntryFields struct in src/entry.rs. This function contained weak validation logic for symlink destinations, which was bypassed by specially crafted paths containing .. sequences. Furthermore, it was susceptible to a TOCTOU attack, where a directory's path could be validated and cached before a subsequently unpacked symlink alters the file system hierarchy.
The patch addresses these issues by:
normalize_absolute and normalize_relative helper functions with a single, more robust normalize function that correctly handles path components.EntryFields::unpack_in_raw to ensure that the fully resolved path of a symlink does not fall outside the target extraction directory.The primary vulnerable function is EntryFields::unpack_in_raw, as it contains the flawed unpacking logic. The public-facing API Entry::unpack_in is also identified as a key runtime indicator because it is the function that developers use and which directly calls the vulnerable internal method. Therefore, both functions are critical for detecting exploitation of this vulnerability in a runtime environment.
RustRust| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| astral-tokio-tar | rust | <= 0.5.3 | 0.5.4 |
Ongoing coverage of React2Shell