A severe vulnerability in the async-tar Rust library and its popular forks, including the widely used tokio-tar. Dubbed TARmageddon and tracked as CVE-2025-62518, the bug carries a CVSS score of 8.1, classifying it as high severity.

It allows attackers to manipulate TAR archive parsing, potentially overwriting critical files like configuration scripts and triggering remote code execution (RCE) in affected systems.

According to Edra, the flaw stems from a boundary-parsing error that mishandles nested TAR files, especially when PAX extended headers conflict with ustar headers.

In vulnerable versions, the parser skips over actual file data based on a misleading zero-byte size in the ustar header, while ignoring the correct size in the PAX header.

This desynchronization lets hidden entries from inner archives “smuggle” into the outer extraction, overwriting files in the target directory.

Major projects like Astral’s uv Python package manager, testcontainers for container testing, and wasmCloud are at risk, with the vulnerability’s reach extending across millions of downloads due to tokio-tar’s ubiquity in the Rust ecosystem.

Navigating The Maze Of Abandoned Forks

Disclosing and patching TARmageddon proved unusually complex because tokio-tar, the most downloaded fork with over 5 million crates.io pulls, appears abandoned, with no active maintainers, no SECURITY.md file, and scant contact info.

Edera coordinated a decentralized effort across the fork lineage: from the root async-tar to tokio-tar, then to their own krata-tokio-tar (now archived) and Astral’s actively maintained astral-tokio-tar.

Researchers developed patches for the active forks, shared them under a 60-day embargo starting August 21, 2025, and reached out to downstream projects like binstalk and opa-wasm.

While Astral swiftly integrated the fix into uv and their fork, responses from others were mixed; some planned to drop the dependency, while uncontacted users remain exposed.

The original tokio-tar and async-tar lack patches, forcing users to migrate manually. Edera urges immediate upgrades to patched versions or removal of the dependency, with astral-tokio-tar as the recommended alternative.

The patch enforces PAX header priority for size checks, validates header consistency, and adds boundary safeguards to prevent misalignment.

For those unable to switch quickly, workarounds include using the synchronous tar crate or runtime checks like manifest validation and sandboxed extractions.

Attackers could exploit TARmageddon in devious ways. In one scenario, a malicious PyPI package uses an outer TAR with a benign pyproject.toml, but a nested inner TAR overwrites it with a rogue build backend, executing code during installation on developer or CI machines.

Container frameworks like testcontainers risk poisoning test environments by extracting tainted image layers, introducing backdoors. Security scanners might approve a “clean” outer archive, only for extraction to pull in unscanned malware, bypassing bill-of-materials checks.

This incident underscores Rust’s limits: while it thwarts memory bugs, logic flaws like this persist in unmaintained code.

The 60-day timeline from discovery on August 21 to coordinated release on October 21 highlights the inefficiencies of fork-heavy ecosystems.

Edera notes their own products dodged impact through defense-in-depth, but the episode calls for better maintenance signals and proactive forking in open source.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post TARmageddon Vulnerability In Rust Library Let Attackers Replace Config Files And Execute Remote Codes appeared first on Cyber Security News.

Oracle has disclosed multiple critical vulnerabilities in its Oracle VM VirtualBox virtualization software, potentially allowing attackers to achieve complete control over the VirtualBox environment.

These flaws, detailed in the October 2025 Critical Patch Update (CPU), affect the Core component of VirtualBox versions 7.1.12 and 7.2.2, enabling high-privileged local attackers to compromise confidentiality, integrity, and availability with devastating consequences.

The disclosure highlights the ongoing risks in virtualization platforms, where even local access can lead to broader system impacts due to scope changes.

Experts warn that these vulnerabilities could facilitate full takeover scenarios, making immediate patching essential for users relying on VirtualBox for development, testing, and secure isolation.

No evidence of active exploitation has surfaced yet, but the high CVSS scores underscore the urgency.

Oracle’s advisory emphasizes that while exploitation requires high privileges and local access, the potential for unauthorized data access and denial-of-service attacks remains a severe threat.

Vulnerability Breakdown And Affected Versions

The October 2025 CPU addresses nine specific CVEs in VirtualBox’s Core, all classified as local exploits without remote authentication.

These issues stem from improper privilege handling and unsafe actions, allowing attackers with infrastructure logon to escalate control.

The most severe, including CVE-2025-62587 through CVE-2025-62590 and CVE-2025-62641, carry a CVSS 3.1 Base Score of 8.2, indicating high risk due to low attack complexity and changed scope.

For a comprehensive overview, the following table summarizes the CVEs, affected products, scores, and impacts based on Oracle’s risk matrix:

Lower-severity flaws like CVE-2025-61759 and CVE-2025-62591 to 62592 score 6.0 to 6.5, focusing on confidentiality breaches without integrity or availability disruption.

All vulnerabilities require local access but can propagate beyond VirtualBox due to scope changes. Successful exploitation could result in the complete takeover of the VirtualBox environment, exposing sensitive virtual machine data and enabling malware persistence across isolated systems.

For enterprises using VirtualBox in development pipelines or as a lightweight hypervisor, this poses risks of data leaks, ransomware deployment, or lateral movement in networks.

Individual developers might face personal data compromise if running untrusted guest OSes. The high integrity and availability impacts (scoring High) could cause crashes or unauthorized modifications, disrupting workflows.

While no public proofs-of-concept exist, the flaws’ similarity to past virtualization bugs raises concerns about targeted attacks.

Mitigations

Oracle urges users to apply the October 2025 CPU patches immediately, available via the official download portal.

Beyond patching, organizations should enforce least-privilege access, monitor high-privileged accounts, and audit VirtualBox configurations for unnecessary exposures.

Disabling unused features and isolating VirtualBox instances in segmented networks can mitigate risks. For those unable to patch promptly, temporary workarounds include restricting logon privileges and validating system integrity regularly.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Multiple Oracle VM VirtualBox Vulnerabilities Enables Complete Takeover Of VirtualBox appeared first on Cyber Security News.