🦀 Another Vulnerability Hits Rust’s Ecosystem

Today’s issue: Cloudflare’s 90M RPS With Pingora, Findings on Futurelock, and Recent Rust Changes

Nov 02, 2025

Image: Common Security Vulnerabilities (credits:Absco Solutions)

Happy new month, Rustaceans

How was your Halloween? I’d love to see the costumes that stole the show for you. Mine? Definitely IShowSpeed’s take on The Flash.

In this issue, we’ll discuss a recently discovered high-severity vulnerability, present you a Rust challenge, spotlight an amazing Rust project, and share 10 incredible links of the week.

Here’s issue 91 for you!

MAIN NEWS

Another Vulnerability Hits Rust’s Ecosystem

Researchers at Edera found a high-severity vulnerability (CVE-2025-62518) that lets attackers pull off remote code execution through something as innocent as unpacking a .tar file.

The vulnerability has been hiding in an abandoned async tar library that’s been forked four times.

The bug, nicknamed TARmageddon, lurks in the async-tar crate and its many descendants, including tokio-tar. These crates power archive handling in tools like uv, testcontainers, and wasmCloud.

It’s a boundary-parsing flaw - a logic issue, not a memory one, where nested TAR files can trick the parser into reading extra entries. That means an attacker could smuggle malicious files into builds, overwrite configs, or even hijack your CI pipeline.

And because the original code was long abandoned, every fork inherited the flaw. It’s the open-source version of a family curse: one bad ancestor, infinite haunted children.

Rust fans love to brag about safety, no segfaults, no use-after-free, yada yada. But TARmageddon proves what every security engineer already knows: you can’t memory-safe your way out of bad logic. Rust protects you from C bugs, not from carelessness.

And this is the dark side of open source: once maintainers move on, their ghosts stick around in dependency trees you didn’t even know existed.

The patch is already out and if affected, please update immediately. The fixed version is astral-tokio-tar 0.5.6 or later. If you’re still using tokio-tar, stop pretending it’s maintained and move on.

RUST CHALLENGE 🦀

Last week we had you solve the Expression Evaluator challenge. LGTM codepilot, and Andreas Grois. Now to this week’s challenge.

Flatten Nested Lists

Write a function flatten that flattens arbitrarily nested lists of integers into a single Vec<i64>. The nested type is defined as:

#[derive(Debug, Clone, PartialEq)]
pub enum Nested {
    Int(i64),
    List(Vec<Nested>),
}

You should handle deeply nested structures, and return an empty vector for empty or fully empty nested lists.

Test your solution on Rust Playground. Once completed, please share your solution and tag us either on X, BlueSky, Mastodon, LinkedIn, or reply to this email.

Sail

Sail is an open-source unified and distributed multimodal computation framework created by LakeSail.

If you’ve ever worked with Spark, you’ve noticed the sluggish startups, JVM tantrums, or surprise cloud bills.

The issue is Spark was groundbreaking... 15 years ago. But modern workloads don’t vibe with garbage collection pauses, memory leaks, or Python-JVM serialization overheads.

Sail fixes that by being 100% Rust-native, meaning no JVM, no lag, no nonsense.

Here’s why Sail’s kind of a big deal:

Spark-Compatible - Your PySpark code just works. No rewrites. Connect via Spark Connect and go.
Ridiculously Fast - Up to 8× faster than Spark, with benchmarks to show for it.
Cloud-Friendly - 94% cheaper infrastructure costs thanks to stateless workers and zero shuffle spills.

If tuning JVM flags and burning cash on idle executors is not your thing, then you should check out Sail.

Rust 1.91.0 is out and it promotes aarch64-pc-windows-msvc to Tier 1, adds lint for dangling raw pointers, and lots of stabilized APIs. More on that next issue.
Also Project goals for 2025H2 is out.
“Recent Rust Changes” by Nicholas Cameron highlights key language, standard library, and tooling updates from Rust 1.79 through 1.90.
Eric Fecteau’s Data Analysis in Rust is a hands-on, “learn by example” guide to doing data analysis the Rust way.
Lorrens’ “Parallel Macro Expansion” dives into the wild ride of making Rust’s macro expansion run in parallel, the hurdles, the hacks, and the hard-earned lessons from deep inside the compiler’s guts.
Dioxus v0.7.0 is out bringing with it Hot-Patching, a new Native Renderer, Axum integration, Bundle Splitting, Radix-UI, and more!
Also, the first Rust SDK for embedded devices - esp-hal 1.0 is out. Big props to the crew who wrangled microcontrollers into speaking fluent Rust.
David Pacheco from Oxide published findings on “futurelock”, a subtle async Rust deadlock where unpolled futures hold mutexes, blocking progress in Tokio select.
Edward Wang and Kevin Guthrie from Cloudflare gave a talk on how they handle 90 million requests per second with Pingora, because apparently “scale” means making the internet their personal stress test. [video]
“When O3 is 2x slower than O2”article explores why Rust code compiled with -O3 can sometimes run slower than with -O2, discussing compiler optimizations, assembly, and CPU behavior to uncover a bizarre performance regression.
Preston Thorpe, a developer at Turso coding from prison, shared his incredible journey on The Database School Podcast- from a cell to rewriting SQLite in Rust.[video]

CodeCrafters: Become a Better Rust Engineer

CodeCrafters created amazing Rust courses that push your skills beyond the basics.

You’ll have fun building real-world projects from scratch, including Git, Docker, Redis, Kafka, SQLite, Grep, BitTorrent, HTTP Server, an Interpreter, and DNS.

The courses are self-paced, so you can learn at your own speed. If you’re itching to level up your Rust skills, these courses are perfect for you.

Join for free and get 40% off when you upgrade. [affiliate]