RSS

Security Advisory for Cargo (CVE-2026-5222)

ingve2 pts0 comments

Security Advisory for Cargo (CVE-2026-5222) | Rust Blog

May 25, 2026 · Rust Security Response Team

The Rust Security Response Team was notified that Cargo incorrectly normalized<br>the URLs of third-party registries using the sparse index protocol. If a<br>hosting provider allowed multiple registries to be hosted with arbitrary names<br>within the same domain, an attacker able to publish crates in a registry could<br>obtain the credentials of others users of the same registry.

This vulnerability is tracked as CVE-2026-5222. The severity of the<br>vulnerability is low , due to the extremely niche requirements needed to<br>achieve the attack.

Overview

Originally Cargo only supported storing a registry's index within git<br>repositories. Most git hosting solutions allow accessing a git repository with<br>or without the .git suffix, so Cargo mirrored this behavior when normalizing<br>registry URLs. This allowed credentials for https://example.com/index to be<br>used for https://example.com/index.git.

This normalization was unintentionally applied to the new sparse indexes too.<br>Sparse indexes can be hosted on any HTTPS server, which treat URLs ending with<br>.git as different URLs than those without the suffix.

If the following conditions apply:

https://example.com/index is a sparse index.

https://example.com/index allows crates to depend on crates from any other<br>registry.

The attacker is able to publish crates on https://example.com/index.

The attacker is able to upload arbitrary files to<br>https://example.com/index.git.

...the attacker could configure https://example.com/index.git to be a Cargo<br>sparse registry requiring authentication for downloads, and with a download URL<br>pointing to a server recording any credentials set to it.

When the attacker then publishes a crate foo to https://example.com/index<br>depending on a crate bar from https://example.com/index.git, and tricks the<br>victim into downloading foo, Cargo will think the two registries share the<br>same credential and send the victim's Cargo token to the malicious registry.

Mitigations

Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the<br>.git suffix from registry URLs using the git protocol. No mitigations are<br>available for users of older versions of Cargo.

Affected versions

All versions of Cargo shipped between Rust 1.68 (the stabilization of sparse<br>registries) and 1.96 are affected.

Acknowledgements

We'd like to thank Christos Papakonstantinou for reporting this to us according<br>to the Rust security policy.

We also want to thank the members of the Rust project who helped us address the<br>vulnerability: Arlo Siemens for developing the fix; Weihang Lo, Eric Huss and<br>Emily Albini for reviewing the fix; Emily Albini for writing this advisory;<br>Emily Albini, Josh Stone and Manish Goregaokar for coordinating the disclosure.

index cargo https example registry rust

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.