A high-severity vulnerability in the popular tokio-tar library has exposed a critical risk in the Rust supply chain. The flaw affects major projects and highlights the danger of relying on unmaintained dependencies.
This isn't a memory safety issue, but a logic bug in an abandoned crate that allows for potential Remote Code Execution. It serves as a stark reminder that while Rust's compiler is powerful, vulnerabilities can still emerge from flawed application logic.
In today’s Rust recap:
> A critical flaw in tokio-tar exposes supply chain risks
> Asahi Linux rewrites its Apple Silicon bootloader in Rust
> The Zed editor brings its Rust-powered performance to Windows
> Ubuntu's Rust rewrite of core utilities hits a real-world snag
Critical Flaw in tokio-tar Highlights Rust Supply Chain Risks
Security firm Edera has uncovered a high-severity vulnerability in the tokio-tar library, a popular tool for async TAR archives. The flaw, dubbed TARmageddon, exposes a significant risk in the Rust ecosystem and affects major projects like Astral's uv and wasmCloud.
This isn't a memory safety issue—it's a logic bug. A flaw in how the library parses TAR file headers allows an attacker to "smuggle" malicious files inside a nested archive. This can lead to Remote Code Execution (RCE), earning it a CVSS score of 8.1 and the official tracker CVE-2025-62518.
Potential attack vectors include:
Hijacking build backends in CI/CD pipelines.
Poisoning container images by injecting unapproved content.
Bypassing security scanners that only check the outer archive.
Here's the challenge: the original tokio-tar crate appears to be abandoned. The good news is that maintainers of active forks have stepped up, and patched releases are available. If your project uses tokio-tar, you should migrate to a maintained fork like astral-tokio-tar.
Why it matters: This incident is a powerful reminder that while Rust prevents entire classes of memory bugs, it's not a silver bullet for security. Logic flaws and unmaintained dependencies—"abandonware"—remain critical weak points. The unpatched tokio-tar crate has over 5 million downloads on crates.io, underscoring the scale of risk lurking in the open-source supply chain.
Asahi Linux Embraces Rust for Apple Silicon Bootloader
The Asahi Linux project, known for bringing Linux to Apple Silicon, has announced the rewrite of its critical m1n1 bootloader in Rust. This move targets improved memory safety and long-term maintainability for one of the most foundational pieces of their software stack.
Here’s a closer look at the initiative:
The primary goal is making the bootloader safer and more logically sound, especially as it’s intended to be the root of trust in a secure boot environment.
The first component ported was the Apple Device Tree (ADT) handler, which now has a sound, idiomatic Rust API.
Impressively, the rewrite showed no performance degradation compared to the original C implementation, even with the overhead of foreign function interface (FFI) calls.
Why it matters: This is a powerful endorsement for Rust in bare-metal development. By proving that Rust’s safety guarantees can be applied to a performance-sensitive bootloader without a speed penalty, the Asahi team provides a compelling case study for other low-level systems projects considering a move away from C.
The bottom line: The gradual, component-by-component migration of m1n1 isn't just an internal refactor. It’s a practical demonstration of how Rust is increasingly trusted to build more robust and secure foundational software for modern hardware.
Zed Editor Brings Rust-Powered Performance to Windows
The high-performance Zed editor has officially launched on Windows, bringing its speed-focused, multiplayer-first coding experience to a new platform. Built from the ground up in Rust, the release avoids web-based frameworks in favor of direct platform integration for maximum control and performance.
Here’s what stands out for developers:
Native Rendering: Zed uses DirectX 11 for its UI and DirectWrite for text, ensuring it feels snappy and integrates seamlessly with the Windows look and feel.
Deep WSL Integration: You can open projects directly from your Windows Subsystem for Linux terminal or launch into a WSL instance from the editor, with features like Git and language servers working remotely.
Sandboxed Extensions: Plugins are built as WebAssembly Components, running in a sandbox with filesystem access via WASI. This allows cross-platform extensions to work on Windows without modification.
Why it matters: Zed's Windows launch is a significant showcase for Rust's ability to build fast, reliable, and truly cross-platform desktop applications. By sidestepping common web wrappers, the Zed team delivers on the promise of native performance, offering a compelling alternative for Windows developers seeking speed.
Bottom line: The editor is ready for daily use, and the team is actively seeking feedback on WSL workflows and high-refresh-rate display performance. You can download Zed for Windows and try it today.
Ubuntu's Rust Rewrite Hits a Real-World Snag
Ubuntu's ambitious plan to replace core C utilities with safer Rust alternatives faced its first major test this week. A bug in the new uutils version of the date command quietly broke automatic updates on some Ubuntu 25.10 systems, offering a valuable lesson in migrating critical infrastructure.
Here’s a quick rundown:
The Bug: The command accepted the
date -r <file>flag but didn't actually implement its functionality. This caused scripts relying on it to fail silently instead of reporting an error.The Impact: It prevented the
unattended-upgradesprocess from running on desktops, servers, and cloud images, as detailed in the official announcement from Canonical.The Fix: A patch was quickly released. The issue was an unimplemented feature, not a memory-safety flaw that Rust is known for preventing.
Why it matters: This incident highlights that replacing decades-old, battle-tested code is about more than just memory safety. Achieving 100% feature parity and identical behavior—including how commands fail—is crucial. The silent failure demonstrates a class of bugs that even Rust's powerful compiler can't catch alone, emphasizing the need for exhaustive integration testing.
The bottom line: This is exactly why Ubuntu is testing these changes in an interim release before the next Long-Term Support (LTS) version. Finding and fixing these subtle behavioral differences now makes the entire ecosystem more robust. It's a bump in the road, but a necessary one on the path to a more secure Linux foundation.
The Shortlist
GitHub enabled general availability for Rust analysis in its CodeQL static analysis engine, adding a new query for insecure cookies and improving security scanning for all Rust projects.
Boa released version 0.21 of its JavaScript engine, featuring a migration to a register-based VM, a smaller memory footprint with Nan-boxing, and 94% conformance with the official ECMAScript test suite.
Axum-gate launched as a new type-safe authentication and authorization solution for the Axum web framework, providing JWT support, hierarchical RBAC, and multiple storage backends out of the box.
Zed unveiled GPUI, the Rust-native application framework powering its editor, which provides a custom async executor and a React-like UI model to build high-performance desktop tools without web views.