Security specialists at Edera disclosed a critical vulnerability (CVE-2025-62518) in an early version of an abandoned async tar archive library for Rust. This flaw enables remote code execution and affects many forks used in widely deployed tools. Given its presence in essential tools, such as the uv package manager that boasts over 5 million downloads, there exists a substantial risk to numerous production environments.
Edera’s discovery highlights the systemic risks linked to abandoned open-source projects where bugs can proliferate undetected. The vulnerability emerged during a development push on August 21 and was addressed swiftly with patches; however, tracking and coordination with various active forks posed a significant challenge. The case reflects a broader crisis in open-source software maintenance, where broken supply chains of responsibility lead to major flaws being inherited across numerous projects, often without user awareness.
Despite Rust’s reputation for safety, this incident underscores that even robust programming languages can have vulnerabilities due to human error. The incident reiterates the importance of transparency and communication in the open-source ecosystem, demonstrating that abandoned projects can result in difficult and inefficient remediation processes.
👉 Pročitaj original: CyberScoop
