Search criteria
2 vulnerabilities by Rust
CVE-2026-5222 (GCVE-0-2026-5222)
Vulnerability from cvelistv5 – Published: 2026-05-25 08:54 – Updated: 2026-05-25 08:54
VLAI?
Title
Cargo can be coerced to share credentials between registries
Summary
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
Severity ?
CWE
- CWE-647 - Use of Non-Canonical URL paths for authorization decisions
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/rustlang-security-ann… | vendor-advisorymailing-list |
| https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ | vendor-advisory |
| https://github.com/rust-lang/cargo/pull/17031 | patch |
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://crates.io",
"defaultStatus": "unaffected",
"modules": [
"sparse index"
],
"packageName": "cargo",
"product": "Cargo",
"repo": "https://github.com/rust-lang/cargo",
"vendor": "Rust",
"versions": [
{
"lessThan": "1.96.0",
"status": "affected",
"version": "1.68.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.\u0026nbsp;The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.\u003c/div\u003e"
}
],
"value": "Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry.\u00a0The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-647",
"description": "CWE-647 Use of Non-Canonical URL paths for authorization decisions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T08:54:56.348Z",
"orgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"shortName": "rust"
},
"references": [
{
"tags": [
"vendor-advisory",
"mailing-list"
],
"url": "https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5222/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rust-lang/cargo/pull/17031"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo."
}
],
"value": "Rust 1.96, to be released on May 28th, 2026, will update Cargo to only strip the `.git` suffix from registry URLs using the git protocol. No mitigations are available for users of older versions of Cargo."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cargo can be coerced to share credentials between registries",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"assignerShortName": "rust",
"cveId": "CVE-2026-5222",
"datePublished": "2026-05-25T08:54:56.348Z",
"dateReserved": "2026-03-31T12:07:40.168Z",
"dateUpdated": "2026-05-25T08:54:56.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-16760 (GCVE-0-2019-16760)
Vulnerability from cvelistv5 – Published: 2019-09-30 21:39 – Updated: 2024-08-05 01:24
VLAI?
Title
Cargo prior to Rust 1.26.0 may download the wrong dependency
Summary
Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue.
Severity ?
4.6 (Medium)
CWE
- CWE-16 - Configuration
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/rust-lang/rust/security/adviso… | x_refsource_CONFIRM |
| https://groups.google.com/forum/#%21topic/rustlan… | x_refsource_MISC |
| https://gist.github.com/pietroalbini/0d293b24a44b… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2019/10/08/3 | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rust-lang/rust/security/advisories/GHSA-phjm-8x66-qw4r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/rustlang-security-announcements/rVQ5e3TDnpQ"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992"
},
{
"name": "[oss-security] 20191008 CVE-2019-16760: Cargo prior to Rust 1.26.0 may download the wrong dependency",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/08/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cargo",
"vendor": "rust",
"versions": [
{
"lessThan": "1.26.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-16",
"description": "CWE-16 Configuration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-08T17:06:07.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rust-lang/rust/security/advisories/GHSA-phjm-8x66-qw4r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/rustlang-security-announcements/rVQ5e3TDnpQ"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992"
},
{
"name": "[oss-security] 20191008 CVE-2019-16760: Cargo prior to Rust 1.26.0 may download the wrong dependency",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/08/3"
}
],
"source": {
"advisory": "GHSA-phjm-8x66-qw4r",
"discovery": "UNKNOWN"
},
"title": "Cargo prior to Rust 1.26.0 may download the wrong dependency",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16760",
"STATE": "PUBLIC",
"TITLE": "Cargo prior to Rust 1.26.0 may download the wrong dependency"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cargo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.0.0",
"version_value": "1.26.0"
}
]
}
}
]
},
"vendor_name": "rust"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-16 Configuration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rust-lang/rust/security/advisories/GHSA-phjm-8x66-qw4r",
"refsource": "CONFIRM",
"url": "https://github.com/rust-lang/rust/security/advisories/GHSA-phjm-8x66-qw4r"
},
{
"name": "https://groups.google.com/forum/#!topic/rustlang-security-announcements/rVQ5e3TDnpQ",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/rustlang-security-announcements/rVQ5e3TDnpQ"
},
{
"name": "https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992",
"refsource": "MISC",
"url": "https://gist.github.com/pietroalbini/0d293b24a44babbeb6187e06eebd4992"
},
{
"name": "[oss-security] 20191008 CVE-2019-16760: Cargo prior to Rust 1.26.0 may download the wrong dependency",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/08/3"
}
]
},
"source": {
"advisory": "GHSA-phjm-8x66-qw4r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16760",
"datePublished": "2019-09-30T21:39:38.000Z",
"dateReserved": "2019-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:24:48.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}