Cargo Symlink Handling Vulnerability Allowing Source Code Override in Third-Party Registries

A medium-severity vulnerability has been identified in Cargo, the Rust package manager, affecting all versions prior to 1.96.0. The issue arises from Cargo's improper management of symlinks within crate tarballs downloaded from third-party registries. This flaw enables a malicious crate to overwrite the source code of another crate from the same registry. Notably, users of crates.io are not affected, as this registry prohibits the upload of crates containing symlinks.

Impact

Exploitation of this vulnerability allows for the unauthorized modification of cached source code for crates from the same third-party registry, potentially leading to malicious code execution or other harmful effects when the modified crate is used.

Remediation

Cargo has been updated in Rust 1.96.0 to reject the extraction of any symlink within crate tarballs, regardless of the registry. Users who cannot upgrade to this version should audit their registry for symlinks and configure their registry to reject them if possible.