CVE-2025-59825: 
Rust vulnerability analysis and mitigation

astral-tokio-tar, a tar archive reading/writing library for async Rust, contains a path traversal vulnerability in versions 0.5.3 and earlier (CVE-2025-59825). The vulnerability was discovered and disclosed on September 23, 2025. The issue affects the Entry::unpackinraw API and Entry::allowexternalsymlinks control functionality, potentially allowing extraction of files outside intended destination directories (GitHub Advisory).

The vulnerability exists in two forms: First, tar archives may extract outside of their intended destination directory when using the Entry::unpackinraw API. Second, the Entry::allowexternalsymlinks control (which defaults to true) can be bypassed using a pair of symlinks that individually point within the destination but combine to point outside of it. The vulnerability has been assigned a High severity rating and is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (GitHub Advisory).

An attacker with a malicious tar archive could perform arbitrary file writes and potentially achieve code execution by overwriting files that the user or system executes. For the main downstream user (uv), the impact is considered low due to overlap with equivalent user capabilities in source distributions. However, for other downstream API users of this crate, the impact is considered high (GitHub Advisory).

The vulnerability has been patched in version 0.5.4 of astral-tokio-tar. Users are advised to upgrade to version 0.5.4 or newer, as there is no workaround other than upgrading (GitHub Advisory).