Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-62518 (GCVE-0-2025-62518)
Vulnerability from cvelistv5 – Published: 2025-10-21 16:13 – Updated: 2025-10-22 13:23
VLAI?
EPSS
Summary
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
Severity ?
8.1 (High)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62518",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:18:16.414919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:23:33.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tokio-tar",
"vendor": "astral-sh",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:13:02.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx"
},
{
"name": "https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9"
},
{
"name": "https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318"
},
{
"name": "https://edera.dev/stories/tarmageddon",
"tags": [
"x_refsource_MISC"
],
"url": "https://edera.dev/stories/tarmageddon"
},
{
"name": "https://github.com/edera-dev/cve-tarmageddon",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/edera-dev/cve-tarmageddon"
}
],
"source": {
"advisory": "GHSA-j5gw-2vrg-8fgx",
"discovery": "UNKNOWN"
},
"title": "astral-tokio-tar Vulnerable to PAX Header Desynchronization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62518",
"datePublished": "2025-10-21T16:13:02.646Z",
"dateReserved": "2025-10-15T15:03:28.134Z",
"dateUpdated": "2025-10-22T13:23:33.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-62518\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-21T17:15:40.563\",\"lastModified\":\"2025-10-21T19:31:25.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-843\"}]}],\"references\":[{\"url\":\"https://edera.dev/stories/tarmageddon\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/edera-dev/cve-tarmageddon\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62518\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-22T13:18:16.414919Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-21T16:35:11.190Z\"}}], \"cna\": {\"title\": \"astral-tokio-tar Vulnerable to PAX Header Desynchronization\", \"source\": {\"advisory\": \"GHSA-j5gw-2vrg-8fgx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"astral-sh\", \"product\": \"tokio-tar\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.5.6\"}]}], \"references\": [{\"url\": \"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx\", \"name\": \"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9\", \"name\": \"https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318\", \"name\": \"https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://edera.dev/stories/tarmageddon\", \"name\": \"https://edera.dev/stories/tarmageddon\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/edera-dev/cve-tarmageddon\", \"name\": \"https://github.com/edera-dev/cve-tarmageddon\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-843\", \"description\": \"CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-21T16:13:02.646Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-62518\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-22T13:23:33.408Z\", \"dateReserved\": \"2025-10-15T15:03:28.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-21T16:13:02.646Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2025-62518
Vulnerability from fkie_nvd - Published: 2025-10-21 17:15 - Updated: 2025-10-21 19:31
Severity ?
Summary
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds."
}
],
"id": "CVE-2025-62518",
"lastModified": "2025-10-21T19:31:25.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-21T17:15:40.563",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://edera.dev/stories/tarmageddon"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/edera-dev/cve-tarmageddon"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-843"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CERTFR-2025-AVI-0941
Vulnerability from certfr_avis - Published: 2025-10-30 - Updated: 2025-10-30
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 kata-containers-cc 3.15.0.aks0-5 | ||
| Microsoft | N/A | cbl2 binutils 2.37-17 | ||
| Microsoft | N/A | cbl2 coredns 1.11.1-22 versions antérieures à 1.11.1-24 | ||
| Microsoft | N/A | cbl2 bind 9.16.50-2 | ||
| Microsoft | N/A | azl3 kernel 6.6.104.2-4 | ||
| Microsoft | N/A | azl3 bind 9.20.11-1 | ||
| Microsoft | N/A | azl3 coredns 1.11.4-10 | ||
| Microsoft | N/A | azl3 binutils 2.41-9 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 kata-containers-cc 3.15.0.aks0-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 binutils 2.37-17",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 coredns 1.11.1-22 versions ant\u00e9rieures \u00e0 1.11.1-24",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 bind 9.16.50-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.104.2-4",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 bind 9.20.11-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 coredns 1.11.4-10",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 binutils 2.41-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2025-40057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40057"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-40029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40029"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-62518",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62518"
},
{
"name": "CVE-2025-40043",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40043"
},
{
"name": "CVE-2025-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11840"
},
{
"name": "CVE-2025-40780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40780"
},
{
"name": "CVE-2025-40019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40019"
},
{
"name": "CVE-2025-40039",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40039"
},
{
"name": "CVE-2025-40081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40081"
},
{
"name": "CVE-2025-40026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40026"
},
{
"name": "CVE-2025-40056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40056"
},
{
"name": "CVE-2025-40052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40052"
},
{
"name": "CVE-2025-40035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40035"
},
{
"name": "CVE-2025-40020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40020"
},
{
"name": "CVE-2025-40049",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40049"
},
{
"name": "CVE-2025-40024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40024"
},
{
"name": "CVE-2025-40033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40033"
},
{
"name": "CVE-2025-40075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40075"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2025-40032",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40032"
},
{
"name": "CVE-2025-40038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40038"
},
{
"name": "CVE-2025-40778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40778"
},
{
"name": "CVE-2025-40078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40078"
},
{
"name": "CVE-2025-40074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40074"
},
{
"name": "CVE-2025-40053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40053"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2025-40044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40044"
},
{
"name": "CVE-2025-40079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40079"
},
{
"name": "CVE-2025-59530",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59530"
},
{
"name": "CVE-2025-40018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40018"
},
{
"name": "CVE-2025-40077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40077"
},
{
"name": "CVE-2025-40071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40071"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-40068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40068"
},
{
"name": "CVE-2025-40042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40042"
},
{
"name": "CVE-2025-8677",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8677"
},
{
"name": "CVE-2025-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40060"
},
{
"name": "CVE-2025-40025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40025"
},
{
"name": "CVE-2025-11839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11839"
},
{
"name": "CVE-2025-40065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40065"
},
{
"name": "CVE-2025-40036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40036"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40061"
},
{
"name": "CVE-2025-40051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40051"
}
],
"initial_release_date": "2025-10-30T00:00:00",
"last_revision_date": "2025-10-30T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0941",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40079",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40079"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40030",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40030"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40040",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40040"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40043",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40043"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-8677",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-8677"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40053",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40053"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40051",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40051"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40026",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40026"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40044",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40044"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40052",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40052"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40780",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40780"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-59530",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59530"
},
{
"published_at": "2025-10-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40021",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40021"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40080",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40080"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40077",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40077"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40068",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40068"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40057",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40057"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40039",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40039"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-11840",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11840"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40042",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40042"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40049",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40049"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-11839",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11839"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40081",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40081"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40035",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40035"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40056",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40056"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40064",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40064"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40071",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40071"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40061",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40061"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40033",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40033"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40778",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40778"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40025",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40025"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40074",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40074"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40055",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40055"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40019",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40019"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40027",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40027"
},
{
"published_at": "2025-10-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40024",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40024"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40029",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40029"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40065",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40065"
},
{
"published_at": "2025-10-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40020",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40020"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-62518",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62518"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40075",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40075"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40060",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40060"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40018",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40018"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40032",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40032"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40038",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40038"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40078",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40078"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40036",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40036"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40048",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40048"
}
]
}
CERTFR-2025-AVI-0941
Vulnerability from certfr_avis - Published: 2025-10-30 - Updated: 2025-10-30
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 kata-containers-cc 3.15.0.aks0-5 | ||
| Microsoft | N/A | cbl2 binutils 2.37-17 | ||
| Microsoft | N/A | cbl2 coredns 1.11.1-22 versions antérieures à 1.11.1-24 | ||
| Microsoft | N/A | cbl2 bind 9.16.50-2 | ||
| Microsoft | N/A | azl3 kernel 6.6.104.2-4 | ||
| Microsoft | N/A | azl3 bind 9.20.11-1 | ||
| Microsoft | N/A | azl3 coredns 1.11.4-10 | ||
| Microsoft | N/A | azl3 binutils 2.41-9 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 kata-containers-cc 3.15.0.aks0-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 binutils 2.37-17",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 coredns 1.11.1-22 versions ant\u00e9rieures \u00e0 1.11.1-24",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "cbl2 bind 9.16.50-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.104.2-4",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 bind 9.20.11-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 coredns 1.11.4-10",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 binutils 2.41-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2025-40057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40057"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-40029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40029"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-62518",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62518"
},
{
"name": "CVE-2025-40043",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40043"
},
{
"name": "CVE-2025-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11840"
},
{
"name": "CVE-2025-40780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40780"
},
{
"name": "CVE-2025-40019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40019"
},
{
"name": "CVE-2025-40039",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40039"
},
{
"name": "CVE-2025-40081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40081"
},
{
"name": "CVE-2025-40026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40026"
},
{
"name": "CVE-2025-40056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40056"
},
{
"name": "CVE-2025-40052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40052"
},
{
"name": "CVE-2025-40035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40035"
},
{
"name": "CVE-2025-40020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40020"
},
{
"name": "CVE-2025-40049",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40049"
},
{
"name": "CVE-2025-40024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40024"
},
{
"name": "CVE-2025-40033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40033"
},
{
"name": "CVE-2025-40075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40075"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2025-40032",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40032"
},
{
"name": "CVE-2025-40038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40038"
},
{
"name": "CVE-2025-40778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40778"
},
{
"name": "CVE-2025-40078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40078"
},
{
"name": "CVE-2025-40074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40074"
},
{
"name": "CVE-2025-40053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40053"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2025-40044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40044"
},
{
"name": "CVE-2025-40079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40079"
},
{
"name": "CVE-2025-59530",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59530"
},
{
"name": "CVE-2025-40018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40018"
},
{
"name": "CVE-2025-40077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40077"
},
{
"name": "CVE-2025-40071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40071"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-40068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40068"
},
{
"name": "CVE-2025-40042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40042"
},
{
"name": "CVE-2025-8677",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8677"
},
{
"name": "CVE-2025-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40060"
},
{
"name": "CVE-2025-40025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40025"
},
{
"name": "CVE-2025-11839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11839"
},
{
"name": "CVE-2025-40065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40065"
},
{
"name": "CVE-2025-40036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40036"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40061"
},
{
"name": "CVE-2025-40051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40051"
}
],
"initial_release_date": "2025-10-30T00:00:00",
"last_revision_date": "2025-10-30T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0941",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40079",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40079"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40030",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40030"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40040",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40040"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40043",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40043"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-8677",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-8677"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40053",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40053"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40051",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40051"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40026",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40026"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40044",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40044"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40052",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40052"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40780",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40780"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-59530",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59530"
},
{
"published_at": "2025-10-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40021",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40021"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40080",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40080"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40077",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40077"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40068",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40068"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40057",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40057"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40039",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40039"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-11840",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11840"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40042",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40042"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40049",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40049"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-11839",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11839"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40081",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40081"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40035",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40035"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40056",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40056"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40064",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40064"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40071",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40071"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40061",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40061"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40033",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40033"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40778",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40778"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40025",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40025"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40074",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40074"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40055",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40055"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40019",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40019"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40027",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40027"
},
{
"published_at": "2025-10-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40024",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40024"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40029",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40029"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40065",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40065"
},
{
"published_at": "2025-10-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40020",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40020"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-62518",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62518"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40075",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40075"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40060",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40060"
},
{
"published_at": "2025-10-25",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40018",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40018"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40032",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40032"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40038",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40038"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40078",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40078"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40036",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40036"
},
{
"published_at": "2025-10-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-40048",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-40048"
}
]
}
OPENSUSE-SU-2025:15658-1
Vulnerability from csaf_opensuse - Published: 2025-10-22 00:00 - Updated: 2025-10-22 00:00Summary
python311-uv-0.9.5-1.1 on GA media
Notes
Title of the patch
python311-uv-0.9.5-1.1 on GA media
Description of the patch
These are all security issues fixed in the python311-uv-0.9.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15658
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-uv-0.9.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-uv-0.9.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15658",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15658-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-62518 page",
"url": "https://www.suse.com/security/cve/CVE-2025-62518/"
}
],
"title": "python311-uv-0.9.5-1.1 on GA media",
"tracking": {
"current_release_date": "2025-10-22T00:00:00Z",
"generator": {
"date": "2025-10-22T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15658-1",
"initial_release_date": "2025-10-22T00:00:00Z",
"revision_history": [
{
"date": "2025-10-22T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-uv-0.9.5-1.1.aarch64",
"product": {
"name": "python311-uv-0.9.5-1.1.aarch64",
"product_id": "python311-uv-0.9.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-uv-0.9.5-1.1.aarch64",
"product": {
"name": "python312-uv-0.9.5-1.1.aarch64",
"product_id": "python312-uv-0.9.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-uv-0.9.5-1.1.aarch64",
"product": {
"name": "python313-uv-0.9.5-1.1.aarch64",
"product_id": "python313-uv-0.9.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "uv-bash-completion-0.9.5-1.1.aarch64",
"product": {
"name": "uv-bash-completion-0.9.5-1.1.aarch64",
"product_id": "uv-bash-completion-0.9.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "uv-fish-completion-0.9.5-1.1.aarch64",
"product": {
"name": "uv-fish-completion-0.9.5-1.1.aarch64",
"product_id": "uv-fish-completion-0.9.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "uv-zsh-completion-0.9.5-1.1.aarch64",
"product": {
"name": "uv-zsh-completion-0.9.5-1.1.aarch64",
"product_id": "uv-zsh-completion-0.9.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-uv-0.9.5-1.1.ppc64le",
"product": {
"name": "python311-uv-0.9.5-1.1.ppc64le",
"product_id": "python311-uv-0.9.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-uv-0.9.5-1.1.ppc64le",
"product": {
"name": "python312-uv-0.9.5-1.1.ppc64le",
"product_id": "python312-uv-0.9.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-uv-0.9.5-1.1.ppc64le",
"product": {
"name": "python313-uv-0.9.5-1.1.ppc64le",
"product_id": "python313-uv-0.9.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "uv-bash-completion-0.9.5-1.1.ppc64le",
"product": {
"name": "uv-bash-completion-0.9.5-1.1.ppc64le",
"product_id": "uv-bash-completion-0.9.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "uv-fish-completion-0.9.5-1.1.ppc64le",
"product": {
"name": "uv-fish-completion-0.9.5-1.1.ppc64le",
"product_id": "uv-fish-completion-0.9.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "uv-zsh-completion-0.9.5-1.1.ppc64le",
"product": {
"name": "uv-zsh-completion-0.9.5-1.1.ppc64le",
"product_id": "uv-zsh-completion-0.9.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-uv-0.9.5-1.1.s390x",
"product": {
"name": "python311-uv-0.9.5-1.1.s390x",
"product_id": "python311-uv-0.9.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-uv-0.9.5-1.1.s390x",
"product": {
"name": "python312-uv-0.9.5-1.1.s390x",
"product_id": "python312-uv-0.9.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-uv-0.9.5-1.1.s390x",
"product": {
"name": "python313-uv-0.9.5-1.1.s390x",
"product_id": "python313-uv-0.9.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "uv-bash-completion-0.9.5-1.1.s390x",
"product": {
"name": "uv-bash-completion-0.9.5-1.1.s390x",
"product_id": "uv-bash-completion-0.9.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "uv-fish-completion-0.9.5-1.1.s390x",
"product": {
"name": "uv-fish-completion-0.9.5-1.1.s390x",
"product_id": "uv-fish-completion-0.9.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "uv-zsh-completion-0.9.5-1.1.s390x",
"product": {
"name": "uv-zsh-completion-0.9.5-1.1.s390x",
"product_id": "uv-zsh-completion-0.9.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-uv-0.9.5-1.1.x86_64",
"product": {
"name": "python311-uv-0.9.5-1.1.x86_64",
"product_id": "python311-uv-0.9.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-uv-0.9.5-1.1.x86_64",
"product": {
"name": "python312-uv-0.9.5-1.1.x86_64",
"product_id": "python312-uv-0.9.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-uv-0.9.5-1.1.x86_64",
"product": {
"name": "python313-uv-0.9.5-1.1.x86_64",
"product_id": "python313-uv-0.9.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "uv-bash-completion-0.9.5-1.1.x86_64",
"product": {
"name": "uv-bash-completion-0.9.5-1.1.x86_64",
"product_id": "uv-bash-completion-0.9.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "uv-fish-completion-0.9.5-1.1.x86_64",
"product": {
"name": "uv-fish-completion-0.9.5-1.1.x86_64",
"product_id": "uv-fish-completion-0.9.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "uv-zsh-completion-0.9.5-1.1.x86_64",
"product": {
"name": "uv-zsh-completion-0.9.5-1.1.x86_64",
"product_id": "uv-zsh-completion-0.9.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-uv-0.9.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-uv-0.9.5-1.1.aarch64"
},
"product_reference": "python311-uv-0.9.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-uv-0.9.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-uv-0.9.5-1.1.ppc64le"
},
"product_reference": "python311-uv-0.9.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-uv-0.9.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-uv-0.9.5-1.1.s390x"
},
"product_reference": "python311-uv-0.9.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-uv-0.9.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-uv-0.9.5-1.1.x86_64"
},
"product_reference": "python311-uv-0.9.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-uv-0.9.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-uv-0.9.5-1.1.aarch64"
},
"product_reference": "python312-uv-0.9.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-uv-0.9.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-uv-0.9.5-1.1.ppc64le"
},
"product_reference": "python312-uv-0.9.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-uv-0.9.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-uv-0.9.5-1.1.s390x"
},
"product_reference": "python312-uv-0.9.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-uv-0.9.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-uv-0.9.5-1.1.x86_64"
},
"product_reference": "python312-uv-0.9.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-uv-0.9.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-uv-0.9.5-1.1.aarch64"
},
"product_reference": "python313-uv-0.9.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-uv-0.9.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-uv-0.9.5-1.1.ppc64le"
},
"product_reference": "python313-uv-0.9.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-uv-0.9.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-uv-0.9.5-1.1.s390x"
},
"product_reference": "python313-uv-0.9.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-uv-0.9.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-uv-0.9.5-1.1.x86_64"
},
"product_reference": "python313-uv-0.9.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-bash-completion-0.9.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.aarch64"
},
"product_reference": "uv-bash-completion-0.9.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-bash-completion-0.9.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.ppc64le"
},
"product_reference": "uv-bash-completion-0.9.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-bash-completion-0.9.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.s390x"
},
"product_reference": "uv-bash-completion-0.9.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-bash-completion-0.9.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.x86_64"
},
"product_reference": "uv-bash-completion-0.9.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-fish-completion-0.9.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.aarch64"
},
"product_reference": "uv-fish-completion-0.9.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-fish-completion-0.9.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.ppc64le"
},
"product_reference": "uv-fish-completion-0.9.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-fish-completion-0.9.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.s390x"
},
"product_reference": "uv-fish-completion-0.9.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-fish-completion-0.9.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.x86_64"
},
"product_reference": "uv-fish-completion-0.9.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-zsh-completion-0.9.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.aarch64"
},
"product_reference": "uv-zsh-completion-0.9.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-zsh-completion-0.9.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.ppc64le"
},
"product_reference": "uv-zsh-completion-0.9.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-zsh-completion-0.9.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.s390x"
},
"product_reference": "uv-zsh-completion-0.9.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uv-zsh-completion-0.9.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.x86_64"
},
"product_reference": "uv-zsh-completion-0.9.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-62518",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-62518"
}
],
"notes": [
{
"category": "general",
"text": "astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-62518",
"url": "https://www.suse.com/security/cve/CVE-2025-62518"
},
{
"category": "external",
"summary": "SUSE Bug 1252399 for CVE-2025-62518",
"url": "https://bugzilla.suse.com/1252399"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python311-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python312-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:python313-uv-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-bash-completion-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-fish-completion-0.9.5-1.1.x86_64",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.aarch64",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.ppc64le",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.s390x",
"openSUSE Tumbleweed:uv-zsh-completion-0.9.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-62518"
}
]
}
MSRC_CVE-2025-62518
Vulnerability from csaf_microsoft - Published: 2025-10-02 00:00 - Updated: 2025-10-25 14:01Summary
astral-tokio-tar Vulnerable to PAX Header Desynchronization
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-62518 astral-tokio-tar Vulnerable to PAX Header Desynchronization - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-62518.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "astral-tokio-tar Vulnerable to PAX Header Desynchronization",
"tracking": {
"current_release_date": "2025-10-25T14:01:53.000Z",
"generator": {
"date": "2025-10-29T21:50:50.904Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-62518",
"initial_release_date": "2025-10-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-10-25T14:01:53.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "azl3 kata-containers-cc 3.15.0.aks0-5",
"product": {
"name": "azl3 kata-containers-cc 3.15.0.aks0-5",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "kata-containers-cc"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kata-containers-cc 3.15.0.aks0-5 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-62518",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0026#39;Type Confusion\u0026#39;)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"known_affected": [
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-62518 astral-tokio-tar Vulnerable to PAX Header Desynchronization - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-62518.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2025-10-25T14:01:53.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"17084-1"
]
}
],
"title": "astral-tokio-tar Vulnerable to PAX Header Desynchronization"
}
]
}
GHSA-J5GW-2VRG-8FGX
Vulnerability from github – Published: 2025-10-21 15:42 – Updated: 2025-10-27 15:13
VLAI?
Summary
astral-tokio-tar Vulnerable to PAX Header Desynchronization
Details
Summary
Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.
This vulnerability was disclosed to multiple Rust tar parsers, all derived from the original async-tar fork of tar-rs.
Details
Vulnerability Description
The vulnerability stems from inconsistent handling of PAX extended headers versus ustar headers when determining file data boundaries. Specifically:
- PAX header correctly specifies the file size (e.g.,
size=1048576) - ustar header incorrectly specifies zero size (
size=000000000000) - tokio-tar advances the stream position based on the ustar size (0 bytes)
- Inner content is then interpreted as legitimate outer archive entries
Attack Mechanism
When a TAR file contains:
- An outer entry with PAX
size=Nbut ustarsize=0 - File data that begins with valid TAR header structures
- The parser treats inner content as additional outer entries
This creates a header/data desynchronization where the parser's position becomes misaligned with actual file boundaries.
Root Cause
// Vulnerable: Uses ustar size instead of PAX override
let file_size = header.size(); // Returns 0 from ustar field
let next_pos = current_pos + 512 + pad_to_512(file_size); // Advances 0 bytes
// Fixed: Apply PAX overrides before position calculation
let mut file_size = header.size();
if let Some(pax_size) = pending_pax.get("size") {
file_size = pax_size.parse().unwrap();
}
let next_pos = current_pos + 512 + pad_to_512(file_size); // Correct advance
Impact
The impact of this vulnerability depends on where astral-tokio-tar is used, and whether it is used to extract untrusted tar archives. If used to extract untrusted inputs, it may result in unexpected attacker-controlled access to the filesystem, in turn potential resulting in arbitrary code execution or credential exfiltration.
See GHSA-w476-p2h3-79g9 for how this vulnerability affects uv, astral-tokio-tar's primary downstream user. Observe that unlike this advisory,uv's advisory is considered low severity due to overlap with intentional existing capabilities in source distributions.
Workarounds
Users are advised to upgrade to version 0.5.6 or newer to address this advisory.
There is no workaround other than upgrading.
Timeline
| Date | Event |
|---|---|
| Aug 21, 2025 | Vulnerability discovered by Edera Security Team |
| Aug 21, 2025 | Initial analysis and PoC confirmed |
| Aug 22, 2025 | Maintainers notified (privately) |
| Aug 25, 2025 | Private patch and test suite shared |
| Oct 7, 2025 | Text freeze for GHSA |
| Oct 21, 2025 | Coordinated public disclosure and patched releases |
Credits
- Discovered by: Steven Noonan (Edera) and Alex Zenla (Edera)
- Coordinated disclosure: Ann Wallace (Edera)
Severity ?
8.1 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.5"
},
"package": {
"ecosystem": "crates.io",
"name": "astral-tokio-tar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62518"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T15:42:51Z",
"nvd_published_at": "2025-10-21T17:15:40Z",
"severity": "HIGH"
},
"details": "## Summary\n\nVersions of `astral-tokio-tar` prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.\n\nThis vulnerability was disclosed to multiple Rust tar parsers, all derived from the original `async-tar` fork of `tar-rs`.\n\n## Details\n\n### Vulnerability Description\n\nThe vulnerability stems from inconsistent handling of PAX extended headers versus ustar headers when determining file data boundaries. Specifically:\n\n1. **PAX header** correctly specifies the file size (e.g., `size=1048576`)\n2. **ustar header** incorrectly specifies zero size (`size=000000000000`)\n3. **tokio-tar** advances the stream position based on the ustar size (0 bytes)\n4. **Inner content** is then interpreted as legitimate outer archive entries\n\n### Attack Mechanism\n\nWhen a TAR file contains:\n\n- An outer entry with PAX `size=N` but ustar `size=0`\n- File data that begins with valid TAR header structures\n- The parser treats inner content as additional outer entries\n\nThis creates a **header/data desynchronization** where the parser\u0027s position becomes misaligned with actual file boundaries.\n\n### Root Cause\n\n```rust\n// Vulnerable: Uses ustar size instead of PAX override\nlet file_size = header.size(); // Returns 0 from ustar field\nlet next_pos = current_pos + 512 + pad_to_512(file_size); // Advances 0 bytes\n\n// Fixed: Apply PAX overrides before position calculation\nlet mut file_size = header.size();\nif let Some(pax_size) = pending_pax.get(\"size\") {\n file_size = pax_size.parse().unwrap();\n}\nlet next_pos = current_pos + 512 + pad_to_512(file_size); // Correct advance\n\n```\n\n## Impact\n\nThe impact of this vulnerability depends on where `astral-tokio-tar` is used, and whether it is used to extract untrusted tar archives. If used to extract untrusted inputs, it may result in unexpected attacker-controlled access to the filesystem, in turn potential resulting in arbitrary code execution or credential exfiltration.\n\nSee [**GHSA-w476-p2h3-79g9**](https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9) for how this vulnerability affects `uv`, `astral-tokio-tar`\u0027s primary downstream user. Observe that **unlike** this advisory,` uv`\u0027s advisory is considered **low severity** due to overlap with intentional existing capabilities in source distributions. \n\n## Workarounds\n\nUsers are advised to upgrade to version 0.5.6 or newer to address this advisory.\n\nThere is no workaround other than upgrading.\n\n## Timeline\n\n| Date | Event |\n| --- | --- |\n| Aug 21, 2025 | Vulnerability discovered by Edera Security Team |\n| Aug 21, 2025 | Initial analysis and PoC confirmed |\n| Aug 22, 2025 | Maintainers notified (privately) |\n| Aug 25, 2025 | Private patch and test suite shared |\n| Oct 7, 2025 | Text freeze for GHSA |\n| Oct 21, 2025 | Coordinated public disclosure and patched releases |\n\n## Credits\n\n- **Discovered by:** Steven Noonan (Edera) and Alex Zenla (Edera)\n- **Coordinated disclosure:** Ann Wallace (Edera)",
"id": "GHSA-j5gw-2vrg-8fgx",
"modified": "2025-10-27T15:13:02Z",
"published": "2025-10-21T15:42:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx"
},
{
"type": "WEB",
"url": "https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9"
},
{
"type": "WEB",
"url": "https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318"
},
{
"type": "WEB",
"url": "https://edera.dev/stories/tarmageddon"
},
{
"type": "PACKAGE",
"url": "https://github.com/astral-sh/tokio-tar"
},
{
"type": "WEB",
"url": "https://github.com/edera-dev/cve-tarmageddon"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0110.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "astral-tokio-tar Vulnerable to PAX Header Desynchronization"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…