Vulnerabilities

RUSTSEC-2026-0066

Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions
were silently skipped when parsing tar archives. This silent skipping (rather
than rejection) of invalid PAX extensions could be used as a building block for
a parser differential, for example by silently skipping a malformed GNU "long
link" extension so that a subsequent parser would misinterpret the extension.

In practice, exploiting this behavior in astral-tokio-tar requires a secondary
misbehaving tar parser, i.e. one that insufficiently validates malformed PAX
extensions and interprets them rather than skipping or erroring on them. This
vulnerability is considered low-severity as it requires a separate
vulnerability against any unrelated tar parser.

This issue has been fixed in version 0.6.0.

Warnings

RUSTSEC-2025-0141

Bincode is unmaintained

Due to a doxxing and harassment incident, the bincode team has taken the decision to cease development permanently.

The team considers version 1.3.3 a complete version of bincode that is not in need of any updates.

Alternatives to consider

• wincode
• postcard
• bitcode
• rkyv

RUSTSEC-2025-0134

rustls-pemfile is unmaintained

The rustls-pemfile crate is no longer maintained. The repository has been archived since August
2025, and users are encouraged to depend directly on the underlying PEM parsing code included
in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper
around the same code used in rustls-pki-types, so migrating should be straightforward.

The new API is represented by the PemObject trait, which provides methods for
reading a single or multiple PEM objects from a file or byte slice.