## Symlink Exploitation Allows Arbitrary Directory Permission Manipulation in astral-tokio-tar Library
A coordinated security disclosure has revealed multiple vulnerabilities in astral-tokio-tar, a Rust-based tar archive library widely used in systems programming. Two high-severity flaws—RUSTSEC-2026-0113 and RUSTSEC-2026-0112—were identified in version 0.6.0, exposing systems that process untrusted tar archives to directory permission manipulation and archive parsing inconsistencies. The maintainers have issued version 0.6.1 as a patched release, though the full severity classification remains marked as unknown by the advisory database.

RUSTSEC-2026-0113 represents the most critical exposure: the unpack_in API can be exploited via crafted symlinks to modify permissions on directories outside the intended archive extraction hierarchy. An attacker could construct a malicious tar archive that follows symlinks to external directories and alters their chmod permissions, while individual file permissions remain unaffected. The vulnerability mirrors a parallel flaw documented in the standard tar crate (GHSA-j4xf-2g29-59ph), indicating a systemic weakness in how Rust archive libraries handle symlink resolution during extraction. RUSTSEC-2026-0112 details a PAX header desynchronization issue in the same package version, further compromising the library's reliability when processing non-standard or adversarially constructed archives.

The disclosure carries particular weight for projects relying on astral-tokio-tar for secure archive handling. Any application that extracts user-supplied or network-received tar archives without strict isolation controls faces potential exploitation. Organizations using the library should audit their dependency trees immediately and verify whether version 0.6.1 or later is deployed. Given the unknown severity rating, independent risk assessment is warranted: the symlink-based permission escalation vector is technically severe, but real-world impact depends on archive source validation and extraction sandboxing already in place. Continued use of versions 0.6.0 and earlier represents an unpatched attack surface.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, rust, symlink, directory-permission, tar-archive
- **Credibility**: unverified
- **Published**: 2026-05-01 05:54:05
- **ID**: 78787
- **URL**: https://whisperx.ai/en/intel/78787