Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory - and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
AnalysisAI
The tar-rs library versions 0.4.44 and below contain a symlink-following vulnerability in the unpack_dir function that allows attackers to modify permissions on arbitrary directories outside the extraction root. An attacker can craft a malicious tarball containing a symlink entry followed by a directory entry with the same name; when unpacked, the library follows the symlink and applies chmod to the target directory rather than validating it resides within the extraction root. This vulnerability has a CVSS score of 5.1 with network accessibility and low attack complexity, making it exploitable by remote attackers without privileges or special user interaction beyond accepting a crafted archive.
Technical ContextAI
The tar-rs library is a Rust crate for reading and writing tar archive formats. The vulnerability exists in the unpack_dir function, which uses fs::metadata() to validate whether a path already exists and determine if it is a directory. Because fs::metadata() in Rust follows symbolic links by design (unlike lstat), an attacker can exploit this behavior by placing a symlink entry in the tarball that points outside the extraction root, followed by a directory entry with the same name. When the function checks if the path is a directory, it resolves the symlink target and sees a directory there, then proceeds to apply filesystem operations (chmod) to that external location. This represents a classic instance of CWE-61 (Unix Symbolic Link Following), where inadequate validation of symlink targets allows arbitrary file system operations outside intended boundaries.
RemediationAI
Upgrade tar-rs to version 0.4.45 or later immediately by updating the dependency in Cargo.toml and running 'cargo update'. For projects unable to upgrade immediately, implement input validation by rejecting tarballs containing symlink entries before extraction, or extract tarballs to a temporary isolated filesystem (e.g., a container or chroot environment) to prevent permission modifications from affecting the host system. Additionally, monitor directory permission changes in production environments and restrict tarball unpacking operations to dedicated, low-privilege service accounts to limit the blast radius of a successful exploit. Consult the official security advisory at https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph for confirmation of patching status.
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13616
GHSA-j4xf-2g29-59ph