A severe vulnerability in the async-tar Rust library and its popular forks, including the widely used tokio-tar. Dubbed TARmageddon and tracked as CVE-2025-62518, the bug carries a CVSS score of 8.1, classifying it as high severity.

It allows attackers to manipulate TAR archive parsing, potentially overwriting critical files like configuration scripts and triggering remote code execution (RCE) in affected systems.

According to Edra, the flaw stems from a boundary-parsing error that mishandles nested TAR files, especially when PAX extended headers conflict with ustar headers.

In vulnerable versions, the parser skips over actual file data based on a misleading zero-byte size in the ustar header, while ignoring the correct size in the PAX header.

This desynchronization lets hidden entries from inner archives “smuggle” into the outer extraction, overwriting files in the target directory.

Major projects like Astral’s uv Python package manager, testcontainers for container testing, and wasmCloud are at risk, with the vulnerability’s reach extending across millions of downloads due to tokio-tar’s ubiquity in the Rust ecosystem.

Navigating The Maze Of Abandoned Forks

Disclosing and patching TARmageddon proved unusually complex because tokio-tar, the most downloaded fork with over 5 million crates.io pulls, appears abandoned, with no active maintainers, no SECURITY.md file, and scant contact info.

Edera coordinated a decentralized effort across the fork lineage: from the root async-tar to tokio-tar, then to their own krata-tokio-tar (now archived) and Astral’s actively maintained astral-tokio-tar.

Researchers developed patches for the active forks, shared them under a 60-day embargo starting August 21, 2025, and reached out to downstream projects like binstalk and opa-wasm.

While Astral swiftly integrated the fix into uv and their fork, responses from others were mixed; some planned to drop the dependency, while uncontacted users remain exposed.

The original tokio-tar and async-tar lack patches, forcing users to migrate manually. Edera urges immediate upgrades to patched versions or removal of the dependency, with astral-tokio-tar as the recommended alternative.

The patch enforces PAX header priority for size checks, validates header consistency, and adds boundary safeguards to prevent misalignment.

For those unable to switch quickly, workarounds include using the synchronous tar crate or runtime checks like manifest validation and sandboxed extractions.

Attackers could exploit TARmageddon in devious ways. In one scenario, a malicious PyPI package uses an outer TAR with a benign pyproject.toml, but a nested inner TAR overwrites it with a rogue build backend, executing code during installation on developer or CI machines.

Container frameworks like testcontainers risk poisoning test environments by extracting tainted image layers, introducing backdoors. Security scanners might approve a “clean” outer archive, only for extraction to pull in unscanned malware, bypassing bill-of-materials checks.

This incident underscores Rust’s limits: while it thwarts memory bugs, logic flaws like this persist in unmaintained code.

The 60-day timeline from discovery on August 21 to coordinated release on October 21 highlights the inefficiencies of fork-heavy ecosystems.

Edera notes their own products dodged impact through defense-in-depth, but the episode calls for better maintenance signals and proactive forking in open source.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post TARmageddon Vulnerability In Rust Library Let Attackers Replace Config Files And Execute Remote Codes appeared first on Cyber Security News.

Oracle has disclosed multiple critical vulnerabilities in its Oracle VM VirtualBox virtualization software, potentially allowing attackers to achieve complete control over the VirtualBox environment.

These flaws, detailed in the October 2025 Critical Patch Update (CPU), affect the Core component of VirtualBox versions 7.1.12 and 7.2.2, enabling high-privileged local attackers to compromise confidentiality, integrity, and availability with devastating consequences.

The disclosure highlights the ongoing risks in virtualization platforms, where even local access can lead to broader system impacts due to scope changes.

Experts warn that these vulnerabilities could facilitate full takeover scenarios, making immediate patching essential for users relying on VirtualBox for development, testing, and secure isolation.

No evidence of active exploitation has surfaced yet, but the high CVSS scores underscore the urgency.

Oracle’s advisory emphasizes that while exploitation requires high privileges and local access, the potential for unauthorized data access and denial-of-service attacks remains a severe threat.

Vulnerability Breakdown And Affected Versions

The October 2025 CPU addresses nine specific CVEs in VirtualBox’s Core, all classified as local exploits without remote authentication.

These issues stem from improper privilege handling and unsafe actions, allowing attackers with infrastructure logon to escalate control.

The most severe, including CVE-2025-62587 through CVE-2025-62590 and CVE-2025-62641, carry a CVSS 3.1 Base Score of 8.2, indicating high risk due to low attack complexity and changed scope.

For a comprehensive overview, the following table summarizes the CVEs, affected products, scores, and impacts based on Oracle’s risk matrix:

Lower-severity flaws like CVE-2025-61759 and CVE-2025-62591 to 62592 score 6.0 to 6.5, focusing on confidentiality breaches without integrity or availability disruption.

All vulnerabilities require local access but can propagate beyond VirtualBox due to scope changes. Successful exploitation could result in the complete takeover of the VirtualBox environment, exposing sensitive virtual machine data and enabling malware persistence across isolated systems.

For enterprises using VirtualBox in development pipelines or as a lightweight hypervisor, this poses risks of data leaks, ransomware deployment, or lateral movement in networks.

Individual developers might face personal data compromise if running untrusted guest OSes. The high integrity and availability impacts (scoring High) could cause crashes or unauthorized modifications, disrupting workflows.

While no public proofs-of-concept exist, the flaws’ similarity to past virtualization bugs raises concerns about targeted attacks.

Mitigations

Oracle urges users to apply the October 2025 CPU patches immediately, available via the official download portal.

Beyond patching, organizations should enforce least-privilege access, monitor high-privileged accounts, and audit VirtualBox configurations for unnecessary exposures.

Disabling unused features and isolating VirtualBox instances in segmented networks can mitigate risks. For those unable to patch promptly, temporary workarounds include restricting logon privileges and validating system integrity regularly.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Multiple Oracle VM VirtualBox Vulnerabilities Enables Complete Takeover Of VirtualBox appeared first on Cyber Security News.

The Internet Systems Consortium (ISC) disclosed three high-severity vulnerabilities in BIND 9 on October 22, 2025, potentially allowing remote attackers to conduct cache poisoning attacks or cause denial-of-service (DoS) conditions on affected DNS resolvers.

These flaws, tracked as CVE-2025-8677, CVE-2025-40778, and CVE-2025-40780, primarily impact recursive resolvers used by organizations for domain name resolution, leaving authoritative DNS servers largely unaffected.

With BIND powering a significant portion of the internet’s DNS infrastructure, administrators are urged to apply patches immediately to mitigate risks of service disruptions and malicious redirections.

Flaws Exposed In Resolver Logic

CVE-2025-8677 involves resource exhaustion triggered by malformed DNSKEY records in specially crafted zones, leading to CPU overload on resolvers during queries.

Rated at a CVSS score of 7.5, this vulnerability enables attackers to remotely overwhelm servers without authentication, severely degrading performance for legitimate users.

ISC notes that while authoritative setups remain safe, resolvers in recursive mode are prime targets, echoing concerns from their knowledge base on unintended query behaviors.

The other two issues center on cache poisoning, a technique reminiscent of the 2008 Dan Kaminsky attack that once threatened global DNS integrity.

CVE-2025-40778 (CVSS 8.6) stems from BIND’s overly permissive handling of unsolicited resource records in responses, allowing forged data to infiltrate the cache and corrupt future resolutions.

Similarly, CVE-2025-40780 (CVSS 8.6) exploits a weak pseudo-random number generator (PRNG), making source ports and query IDs predictable for spoofing malicious replies into the cache.

Both flaws elevate the attack surface by enabling scope changes in impact, as tainted caches could redirect traffic across networks.

Researchers from Nankai University, Tsinghua University, and Hebrew University of Jerusalem identified these issues, crediting their work in ISC’s advisories.

No active exploits are known yet, but the remote, unauthenticated nature heightens urgency given BIND’s widespread deployment.

Successful exploitation could lead to phishing, malware distribution, or man-in-the-middle attacks by diverting users to attacker-controlled sites.

For instance, poisoned caches might replace legitimate IP addresses with malicious ones, mimicking trusted domains and eroding user trust in online services.

DoS from CVE-2025-8677 risks operational downtime, financial losses, and reduced productivity for businesses reliant on stable DNS.

Organizations using vulnerable versions spanning BIND 9.11.0 to 9.21.12 and Supported Preview Editions face elevated threats, especially in cloud and enterprise environments.

ISC emphasizes that these vulnerabilities underscore ongoing DNS resilience challenges, even post-Kaminsky mitigations like randomized query IDs.

Distributions like Ubuntu and Red Hat have begun issuing updates, with package maintainers encouraged to release patches swiftly.

Mitigations

No workarounds exist, so upgrading to fixed releases is essential: BIND 9.18.41, 9.20.15, or 9.21.14 for standard branches, and corresponding Supported Preview versions.

Selective patches are available in release directories for those preferring minimal changes. Administrators should review ISC’s advisories and monitor for distribution updates to safeguard against these DNS threats.

As BIND evolves, such disclosures highlight the need for proactive patching in critical infrastructure.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Multiple BIND 9 DNS Vulnerabilities Enable Cache Poisoning and Denial Of Service Attacks appeared first on Cyber Security News.