This security flaw affects not only projects using async-tar but also tokio-tar, an extremely popular fork with over 7 million downloads on crates.io that has also been abandoned.