CVE-2025-59825 (CNNVD-202509-3643)
中文标题:
astral-tokio-tar 安全漏洞
英文标题:
astral-tokio-tar has a path traversal in tar extraction
漏洞描述
中文描述:
astral-tokio-tar是Astral开源的一个Rust库。 astral-tokio-tar 0.5.3及之前版本存在安全漏洞,该漏洞源于Entry_unpack_in_raw API存在路径遍历问题,且Entry_allow_external_symlinks控制可被绕过,可能导致任意文件写入和代码执行。
英文描述:
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| astral-sh | tokio-tar | < 0.5.4 | - | - |
cpe:2.3:a:astral-sh:tokio-tar:<_0.5.4:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-59825 |
2025-11-11 15:23:31 | 2025-11-11 07:40:47 |
| NVD | nvd_CVE-2025-59825 |
2025-11-11 15:01:03 | 2025-11-11 07:48:33 |
| CNNVD | cnnvd_CNNVD-202509-3643 |
2025-11-11 15:12:58 | 2025-11-11 08:00:13 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-3643
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']