CyberScoop reports that an abandoned Rust code library async-tar, which has been reused in several forks, contains a major security flaw, tracked as CVE-2025-62518, that allows remote code execution through file overwriting and affects many other projects built from it.

Such an issue, dubbed TARmageddon, was discovered during internal testing on Aug. 21, with patches issued the following day, according to researchers from the cybersecurity firm Edera. The company worked to fix the problem across several forks before publicly disclosing the flaw on Tuesday.

Edera co-founder and Chief Technology Officer Alex Zenla described the flaw as "a textbook case of the open-source abandonware crisis," explaining that it began in early code then later copied into newer versions after the original project stopped getting updates.

Zenla also said that the affected code is used for archiving processing throughout the Rust ecosystem and warned that "the most concerning part is unawareness."

While Rust is considered a secure language, Zenla noted that the case shows that even safer programming environments can still face risks from old, unmaintained code.