Security Advisory for Cargo (CVE-2026-5222)
A security vulnerability in Cargo, tracked as CVE-2026-5222, was identified due to improper normalization of URLs for third-party registries. This flaw could allow an attacker to exploit credentials of users within the same registry under specific conditions. The issue will be addressed in Rust version 1.96, set to release on May 28, 2026.
- ▪The vulnerability arises from Cargo's handling of URLs for sparse index registries.
- ▪An attacker could potentially obtain user credentials if certain conditions are met.
- ▪Rust version 1.96 will implement a fix to prevent this issue.
Opening excerpt (first ~120 words) tap to expand
The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. This vulnerability is tracked as CVE-2026-5222. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack. Overview Originally Cargo only supported storing a registry's index within git repositories. Most git hosting solutions allow accessing a git repository with or without the .git suffix, so Cargo mirrored this behavior when normalizing registry URLs.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Rust-lang.
Discussion
0 commentsMore from Rust-lang
