GHSA-fp55-jw48-c537: astral-tokio-tar is Vulnerable to PAX Header Desynchronization

May 6, 2026

Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim’s filesystem.

See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.

References

github.com/advisories/GHSA-fp55-jw48-c537
github.com/astral-sh/tokio-tar
github.com/astral-sh/tokio-tar/security/advisories/GHSA-fp55-jw48-c537
rustsec.org/advisories/RUSTSEC-2026-0112.html

Code Behaviors & Features

Detect and mitigate GHSA-fp55-jw48-c537 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →