« All posts

Cargo'da Symlink Açığı: CVE-2026-5223 Duyuruldu

Cargo, üçüncü taraf registry'lerden gelen tarball'lardaki symlink'leri hatalı işliyordu. Rust 1.96.0 ile düzeltilen orta seviye açığın detayları.

The Rust Security Response Team disclosed that Cargo mishandled symlinks inside crate tarballs downloaded from third-party registries, tracked as CVE-2026-5223. The flaw allowed a malicious crate to overwrite the source code of another crate from the same registry by exploiting how Cargo's local cache under ~/.cargo is structured, letting a crafted tarball extract files one level outside its own cache directory.

crates.io users are unaffected since crates.io already bans crates containing symlinks, but the issue is rated medium severity for third-party registry users. Rust 1.96.0, shipping May 28, 2026, updates Cargo to reject any symlink extraction from crate tarballs regardless of registry source.

Users unable to upgrade immediately are advised to audit their registries for symlinks and configure rejection of symlinks where possible. The vulnerability was reported by Christos Papakonstantinou under the Rust security policy, with the fix developed by Josh Triplett and reviewed and coordinated by several Rust project members.