Skip to content

cargo audit is failing with tokio-tar parses PAX extended headers incorrectly, allows file smuggling #18288

New issue
New issue
Closed
Bug
#18287
Closed
cargo audit is failing with tokio-tar parses PAX extended headers incorrectly, allows file smuggling#18288
Bug
#18287
Labels
bugSomething isn't working
@alamb

Description

@alamb
alamb
opened on Oct 26, 2025

Describe the bug

The security audit check started failing on PRs. For example

https://github.com/apache/datafusion/actions/runs/18817236490/job/53687295209?pr=18287

    Scanning Cargo.lock for vulnerabilities (682 crate dependencies)
Crate:     tokio-tar
Version:   0.3.1
Title:     `tokio-tar` parses PAX extended headers incorrectly, allows file smuggling
Date:      2025-10-21
ID:        RUSTSEC-2025-0111
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0111
Solution:  No fixed upgrade is available!
Dependency tree:
tokio-tar 0.3.1
└── testcontainers 0.24.0
    ├── testcontainers-modules 0.12.1
    │   ├── datafusion-sqllogictest 50.3.0
    │   └── datafusion-cli 50.3.0
    ├── datafusion-sqllogictest 50.3.0
    └── datafusion-cli 50.3.0

It appears that this was a recently added report https://rustsec.org/advisories/RUSTSEC-2025-0111

Since we are using tokio-tar for testing infrastructure where we control both ends of the connection I don't think this is an actual security problem but we do need to fix the CI

To Reproduce

No response

Expected behavior

No response

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions