The Rust Security Response Team has identified two vulnerabilities in Cargo, impacting third-party registries. CVE-2026-5222 is a low-severity issue allowing potential credential exposure, while CVE-2026-5223 is a medium-severity issue that could allow malicious code to overwrite other crates. Rust 1.96.0, releasing May 28, 2026, will address these issues.
The Rust Security Response Team has identified two vulnerabilities affecting Cargo, the Rust package manager. These vulnerabilities are tracked as CVE-2026-5222 and CVE-2026-5223, affecting users of third-party registries. The Rust team plans to mitigate these issues in the upcoming release of Rust 1.96.0, set for May 28, 2026.
CVE-2026-5222 involves a low-severity flaw where Cargo incorrectly normalizes registry URLs, potentially exposing user credentials if specific conditions are met. This primarily affects registries using the sparse index protocol, where URLs with and without a .git suffix are treated interchangeably.
CVE-2026-5223 represents a medium-severity issue where malicious crates can use symlinks within tarballs from third-party registries to overwrite other crates' source code. This vulnerability does not affect crates.io users, as the platform does not allow crates with symlinks.
The upcoming Rust release 1.96.0 will address these security concerns. It will ensure that Cargo rejects attempts to extract symlinks from any crate tarball, thereby preventing malicious code overwrites. Additionally, adjustments will be made to handle URL normalization more securely in the context of sparse indexes.
These vulnerabilities highlight the importance of secure practices in package management, particularly for third-party registry users. Addressing these issues helps maintain the integrity and security of Rust's package ecosystem, minimizing risks of unauthorized access or malicious code alterations.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
A security vulnerability in Cargo allows for the potential exposure of user credentials under specific conditions. Remediation will occur in the upcoming Rust release 1.96, but users of older versions may remain vulnerable.
CVE-2026-5223 identifies a medium-severity vulnerability in Cargo that allows malicious crates to override other crates' source code via symlinks in tarballs from third-party registries. A patch will be included in Rust version 1.96.0, which is scheduled for release on May 28, 2026.