Cargo
Monthly
Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a malicious crate hosted on a third-party registry to overwrite source files belonging to other crates in the victim's local registry cache. The attack requires no privileges on the attacker side (PR:N per CVSS 4.0) but passive user interaction (UI:P) - specifically, a developer running any Cargo command that triggers crate download and extraction. While crates.io users are explicitly unaffected (that registry enforces a server-side symlink prohibition), users of any third-party Cargo registry are at risk of supply chain source substitution; no public exploit has been identified at time of analysis, and EPSS is very low at 0.04%.
Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.6.X before 3.6.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).6.X before. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.6.X before 3.6.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cargo downloads the Rust project’s dependencies and compiles the project. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Cargo is a package manager for the rust programming language. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Cargo is a package manager for the rust programming language. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a malicious crate hosted on a third-party registry to overwrite source files belonging to other crates in the victim's local registry cache. The attack requires no privileges on the attacker side (PR:N per CVSS 4.0) but passive user interaction (UI:P) - specifically, a developer running any Cargo command that triggers crate download and extraction. While crates.io users are explicitly unaffected (that registry enforces a server-side symlink prohibition), users of any third-party Cargo registry are at risk of supply chain source substitution; no public exploit has been identified at time of analysis, and EPSS is very low at 0.04%.
Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.6.X before 3.6.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).6.X before. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.6.X before 3.6.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cargo downloads the Rust project’s dependencies and compiles the project. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Cargo is a package manager for the rust programming language. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Cargo is a package manager for the rust programming language. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.