GHSA-xx64-wwv2-hcqq: astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks

May 6, 2026

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

References

github.com/advisories/GHSA-xx64-wwv2-hcqq
github.com/astral-sh/tokio-tar
github.com/astral-sh/tokio-tar/security/advisories/GHSA-xx64-wwv2-hcqq
rustsec.org/advisories/RUSTSEC-2026-0113.html

Code Behaviors & Features

Detect and mitigate GHSA-xx64-wwv2-hcqq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →