Security Researchers Flag Symlink Traversal Flaw in Rust Archive Library astral-tokio-tar

A security audit has uncovered five vulnerabilities in astral-tokio-tar, a widely-used Rust library for handling tar archives. The most severe flaw—tracked as RUSTSEC-2026-0113—allows the unpack_in API to modify permissions on directories outside the intended archive hierarchy by following malicious symlinks. The vulnerability affects version 0.6.0 and earlier, and while individual file permissions cannot be altered through this method, arbitrary directory permissions are exposed to manipulation by any actor who can craft a specially constructed tar archive.

The vulnerability stems from insufficient validation of symlinks during archive extraction. An attacker who can supply a crafted tar archive could exploit the library to issue chmod operations against external directories, bypassing the intended security boundary of the archive extraction process. Security researchers note that the flaw mirrors a similar vulnerability discovered in the standard tar crate (GHSA-j4xf-2g29-59ph), suggesting a systemic pattern in how Rust-based archive handling libraries enforce extraction boundaries. A second disclosed flaw, RUSTSEC-2026-0112, involves PAX header desynchronization in the same package, further complicating the library's security posture.

The maintainers have addressed the symlink traversal vulnerability in version 0.6.1. Users of astral-tokio-tar in production systems—particularly those processing untrusted archive input—are advised to verify their current dependency versions and upgrade immediately. The discovery highlights ongoing challenges in securing file extraction logic, where the complexity of archive format parsing creates recurring attack surfaces exploitable through carefully malformed archives.