GHSA-3cv2-h65g-fgmm: astral-tokio-tar has a PAX Header Desynchronization issue

May 29, 2026

Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim’s filesystem.

References

github.com/advisories/GHSA-3cv2-h65g-fgmm
github.com/astral-sh/tokio-tar/security/advisories/GHSA-3cv2-h65g-fgmm
rustsec.org/advisories/RUSTSEC-2026-0145.html

Code Behaviors & Features

Detect and mitigate GHSA-3cv2-h65g-fgmm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →