GHSA-P688-R7JV-FM6F

Vulnerability from github – Published: 2026-06-26 21:47 – Updated: 2026-06-26 21:47
VLAI
Summary
Cargo can be coerced to share credentials between registries
Details

The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.

This vulnerability is tracked as CVE-2026-5222. The severity of the vulnerability is low, due to the extremely niche requirements needed to achieve the attack.

Overview

Originally Cargo only supported storing a registry's index within git repositories. Most git hosting solutions allow accessing a git repository with or without the .git suffix, so Cargo mirrored this behavior when normalizing registry URLs. This allowed credentials for https://example.com/index to be used for https://example.com/index.git.

This normalization was unintentionally applied to the new sparse indexes too. Sparse indexes can be hosted on any HTTPS server, which treat URLs ending with .git as different URLs than those without the suffix.

If the following conditions apply:

  • https://example.com/index is a sparse index.
  • https://example.com/index allows crates to depend on crates from any other registry.
  • The attacker is able to publish crates on https://example.com/index.
  • The attacker is able to upload arbitrary files to https://example.com/index.git.

...the attacker could configure https://example.com/index.git to be a Cargo sparse registry requiring authentication for downloads, and with a download URL pointing to a server recording any credentials set to it.

When the attacker then publishes a crate foo to https://example.com/index depending on a crate bar from https://example.com/index.git, and tricks the victim into downloading foo, Cargo will think the two registries share the same credential and send the victim's Cargo token to the malicious registry.

Mitigations

Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the .git suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo.

Affected versions

All versions of Cargo shipped between Rust 1.68 (the stabilization of sparse registries) and 1.96 are affected.

Acknowledgements

Cargo would like to thank Christos Papakonstantinou for reporting this issue according to the Rust security policy.

Cargo also wants to thank the members of the Rust project who helped address the vulnerability: Arlo Siemens for developing the fix; Weihang Lo, Eric Huss and Emily Albini for reviewing the fix; Emily Albini for writing this advisory; Emily Albini, Josh Stone and Manish Goregaokar for coordinating the disclosure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cargo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.97.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-5222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-647"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:47:54Z",
    "nvd_published_at": "2026-05-25T10:16:15Z",
    "severity": "LOW"
  },
  "details": "The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the [sparse index protocol][1]. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.\n\nThis vulnerability is tracked as CVE-2026-5222. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.\n\n## Overview\n\nOriginally Cargo only supported storing a registry\u0027s index within git repositories. Most git hosting solutions allow accessing a git repository with or without the `.git` suffix, so Cargo mirrored this behavior when normalizing registry URLs. This allowed credentials for `https://example.com/index` to be used for `https://example.com/index.git`.\n\nThis normalization was unintentionally applied to the new sparse indexes too. Sparse indexes can be hosted on any HTTPS server, which treat URLs ending with `.git` as different URLs than those without the suffix.\n\nIf the following conditions apply:\n\n* `https://example.com/index` is a sparse index.\n* `https://example.com/index` allows crates to depend on crates from any other registry.\n* The attacker is able to publish crates on `https://example.com/index`.\n* The attacker is able to upload arbitrary files to `https://example.com/index.git`.\n\n...the attacker could configure `https://example.com/index.git` to be a Cargo sparse registry requiring authentication for downloads, and with a download URL pointing to a server recording any credentials set to it.\n\nWhen the attacker then publishes a crate `foo` to `https://example.com/index` depending on a crate `bar` from `https://example.com/index.git`, and tricks the victim into downloading `foo`,  Cargo will think the two registries share the same credential and send the victim\u0027s Cargo token to the malicious registry.\n\n## Mitigations\n\nRust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo.\n\n## Affected versions\n\nAll versions of Cargo shipped between Rust 1.68 (the stabilization of sparse registries) and 1.96 are affected.\n\n## Acknowledgements\n\nCargo would like to thank Christos Papakonstantinou for reporting this issue according to the [Rust security policy][2].\n\nCargo also wants to thank the members of the Rust project who helped address the vulnerability: Arlo Siemens for developing the fix; Weihang Lo, Eric Huss and Emily Albini for reviewing the fix; Emily Albini for writing this advisory; Emily Albini, Josh Stone and Manish Goregaokar for coordinating the disclosure.\n\n[1]: https://doc.rust-lang.org/cargo/reference/registries.html#registry-protocols\n[2]: https://rust-lang.org/policies/security",
  "id": "GHSA-p688-r7jv-fm6f",
  "modified": "2026-06-26T21:47:54Z",
  "published": "2026-06-26T21:47:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-p688-r7jv-fm6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/cargo/pull/17031"
    },
    {
      "type": "WEB",
      "url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5222"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rust-lang/cargo"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cargo can be coerced to share credentials between registries"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…