Skip to content

Commit 4e22222

Browse files
1 parent 2dabc63 commit 4e22222

3 files changed

Lines changed: 131 additions & 40 deletions

File tree

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3cv2-h65g-fgmm",
4+
"modified": "2026-05-29T19:08:23Z",
5+
"published": "2026-05-29T19:08:23Z",
6+
"aliases": [],
7+
"summary": "astral-tokio-tar has a PAX Header Desynchronization issue",
8+
"details": "### Impact\n\nVersions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.\n\n### Details\n\nWhen a tar stream contains multiple \"header\" entries prior to a file entry, astral-tokio-tar applies the PAX header (`x`) to the next entry in the stream, regardless of type. For example, a stream of `x -> L -> file` (PAX, GNU longname, file) would result in `x`'s extensions being applied to `L` rather than to `file`.\n\n[Per POSIX pax](https://pubs.opengroup.org/onlinepubs/9799919799/utilities/pax.html), this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the \"pax Header Block\" section for the specific prescription there.\n\nAs a result of this, an attacker can contrive a tar containing a sequence of tar headers such that astral-tokio-tar applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling astral-tokio-tar specific skippage/extraction of members. In other words, a file can be contrived to extract differently on astral-tokio-tar than on other tar parsers.\n\n### Patches\n\nVersions 0.6.2 and newer of astral-tokio-tar address this differential.\n\n### Workarounds\n\nUsers are advised to upgrade to version 0.6.1 or newer to address this advisory.\n\nThere is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.\n\n### Resources\n\n- GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug\n- GHSA-fp55-jw48-c537 is another similar PAX desynchronization bug",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "crates.io",
19+
"name": "astral-tokio-tar"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.6.2"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 0.6.1"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3cv2-h65g-fgmm"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/astral-sh/tokio-tar"
47+
},
48+
{
49+
"type": "WEB",
50+
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0145.html"
51+
}
52+
],
53+
"database_specific": {
54+
"cwe_ids": [
55+
"CWE-20",
56+
"CWE-843"
57+
],
58+
"severity": "MODERATE",
59+
"github_reviewed": true,
60+
"github_reviewed_at": "2026-05-29T19:08:23Z",
61+
"nvd_published_at": null
62+
}
63+
}
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qr28-p3wr-mxq3",
4+
"modified": "2026-05-29T19:10:32Z",
5+
"published": "2026-05-18T18:31:29Z",
6+
"aliases": [
7+
"CVE-2025-57282"
8+
],
9+
"summary": "ngrok is Vulnerable to Command Injection",
10+
"details": "ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "ngrok"
26+
},
27+
"versions": [
28+
"4.3.3"
29+
]
30+
},
31+
{
32+
"package": {
33+
"ecosystem": "npm",
34+
"name": "ngrok"
35+
},
36+
"versions": [
37+
"5.0.0-beta.2"
38+
]
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "ADVISORY",
44+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57282"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://gist.github.com/Dremig/90c2a0a2f85b0921f10e0bb3192a0c23"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/bubenshchykov/ngrok"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://www.npmjs.com"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-77"
62+
],
63+
"severity": "HIGH",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2026-05-29T19:10:32Z",
66+
"nvd_published_at": "2026-05-18T16:16:29Z"
67+
}
68+
}

advisories/unreviewed/2026/05/GHSA-qr28-p3wr-mxq3/GHSA-qr28-p3wr-mxq3.json

Lines changed: 0 additions & 40 deletions
This file was deleted.

0 commit comments

Comments
 (0)