Search criteria
3 vulnerabilities
CVE-2026-5223 (GCVE-0-2026-5223)
Vulnerability from cvelistv5 – Published: 2026-05-25 08:57 – Updated: 2026-05-25 08:57
VLAI
Title
Crates in third party registries can override the cached source of other crates
Summary
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.
Severity
CWE
- CWE-61 - UNIX symbolic link (symlink) following
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/rustlang-security-ann… | vendor-advisorymailing-list |
| https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ | vendor-advisory |
| https://github.com/rust-lang/cargo/pull/17031 | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rust Project | Cargo |
Affected:
1.0.0 , < 1.96.0
(semver)
|
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://crates.io",
"defaultStatus": "unaffected",
"packageName": "cargo",
"product": "Cargo",
"repo": "https://github.com/rust-lang/cargo",
"vendor": "Rust Project",
"versions": [
{
"lessThan": "1.96.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u0026nbsp;The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."
}
],
"value": "Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u00a0The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."
}
],
"impacts": [
{
"capecId": "CAPEC-141",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-141 Cache Poisoning"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX symbolic link (symlink) following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T08:57:08.488Z",
"orgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"shortName": "rust"
},
"references": [
{
"tags": [
"vendor-advisory",
"mailing-list"
],
"url": "https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5223/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rust-lang/cargo/pull/17031"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal."
}
],
"value": "Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crates in third party registries can override the cached source of other crates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).\u003cbr\u003e"
}
],
"value": "Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available)."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"assignerShortName": "rust",
"cveId": "CVE-2026-5223",
"datePublished": "2026-05-25T08:57:08.488Z",
"dateReserved": "2026-03-31T12:07:41.420Z",
"dateUpdated": "2026-05-25T08:57:08.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5222 (GCVE-0-2026-5222)
Vulnerability from cvelistv5 – Published: 2026-05-25 08:54 – Updated: 2026-05-26 14:43
VLAI
Title
Cargo can be coerced to share credentials between registries
Summary
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
Severity
CWE
- CWE-647 - Use of Non-Canonical URL paths for authorization decisions
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/rustlang-security-ann… | vendor-advisorymailing-list |
| https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ | vendor-advisory |
| https://github.com/rust-lang/cargo/pull/17031 | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T14:36:59.303136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T14:43:10.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io",
"defaultStatus": "unaffected",
"modules": [
"sparse index"
],
"packageName": "cargo",
"product": "Cargo",
"repo": "https://github.com/rust-lang/cargo",
"vendor": "Rust",
"versions": [
{
"lessThan": "1.96.0",
"status": "affected",
"version": "1.68.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.\u0026nbsp;The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.\u003c/div\u003e"
}
],
"value": "Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.\u00a0The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-647",
"description": "CWE-647 Use of Non-Canonical URL paths for authorization decisions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T08:54:56.348Z",
"orgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"shortName": "rust"
},
"references": [
{
"tags": [
"vendor-advisory",
"mailing-list"
],
"url": "https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5222/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rust-lang/cargo/pull/17031"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo."
}
],
"value": "Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cargo can be coerced to share credentials between registries",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"assignerShortName": "rust",
"cveId": "CVE-2026-5222",
"datePublished": "2026-05-25T08:54:56.348Z",
"dateReserved": "2026-03-31T12:07:40.168Z",
"dateUpdated": "2026-05-26T14:43:10.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11233 (GCVE-0-2025-11233)
Vulnerability from cvelistv5 – Published: 2025-10-01 16:49 – Updated: 2025-10-01 17:35
VLAI
Title
Rust standard library didn't detect all path separators on Cygwin
Summary
Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations.
Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target.
While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rust-lang/rust/pull/141864 | patch |
| https://groups.google.com/g/rustlang-security-ann… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rust Project | std |
Affected:
1.87.0 , < 1.89.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:21:57.111508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:35:23.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "std",
"repo": "https://github.com/rust-lang/rust",
"vendor": "Rust Project",
"versions": [
{
"lessThan": "1.89.0",
"status": "affected",
"version": "1.87.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eStarting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn\u0027t correctly handle path separators, causing the standard library\u0027s Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eRust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eWhile we assess the severity of this vulnerability as \"medium\", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e"
}
],
"value": "Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn\u0027t correctly handle path separators, causing the standard library\u0027s Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations.\n\n\n\n\nRust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target.\n\n\n\nWhile we assess the severity of this vulnerability as \"medium\", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:00:18.704Z",
"orgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"shortName": "rust"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/rust-lang/rust/pull/141864"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://groups.google.com/g/rustlang-security-announcements/c/oT9zCvLLYkw"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We recommend users of Cygwin targets to upgrade to 1.89.0 or a later version."
}
],
"value": "We recommend users of Cygwin targets to upgrade to 1.89.0 or a later version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rust standard library didn\u0027t detect all path separators on Cygwin",
"x_generator": {
"engine": "meow :3"
}
}
},
"cveMetadata": {
"assignerOrgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"assignerShortName": "rust",
"cveId": "CVE-2025-11233",
"datePublished": "2025-10-01T16:49:50.139Z",
"dateReserved": "2025-10-01T16:38:24.568Z",
"dateUpdated": "2025-10-01T17:35:23.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}