Deps.rs

dvtkrlbs / async-ffmpeg-sidecar

[![dependency status](https://deps.rs/repo/github/dvtkrlbs/async-ffmpeg-sidecar/status.svg)](https://deps.rs/repo/github/dvtkrlbs/async-ffmpeg-sidecar)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate async-ffmpeg-sidecar

Dependencies

(10 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.0.931.0.102up to date
 futures-util^0.3.310.3.32up to date
 tokio^1.41.11.52.2up to date
 reqwest^0.12.120.13.3out of date
 tokio-util^0.7.130.7.18up to date
 sanitize-filename^0.6.00.6.0up to date
 futures^0.3.310.3.32up to date
 async_zip^0.0.170.0.18out of date
 astral-tokio-tar ⚠️^0.5.60.6.1out of date
 async-compression^0.4.180.4.42up to date

Security Vulnerabilities

astral-tokio-tar: Insufficient validation of PAX extensions during extraction

RUSTSEC-2026-0066

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU "long link" extension so that a subsequent parser would misinterpret the extension.

In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser.

This issue has been fixed in version 0.6.0.