Cargo Package Manager Vulnerability: Arbitrary Permission Changes via Malicious Crates
By
<h2>Overview of the Vulnerability</h2><p>The Rust Security Response Team recently disclosed a critical vulnerability in the third-party <strong><em>tar</em></strong> crate, which is used internally by <strong>Cargo</strong> during the extraction of package archives. Tracked as <strong>CVE-2026-33056</strong>, this flaw enables a malicious crate to alter the permissions of arbitrary directories on the filesystem at the moment Cargo extracts the package. Such a change could lead to privilege escalation, data corruption, or unauthorized access to sensitive system paths.</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Cargo Package Manager Vulnerability: Arbitrary Permission Changes via Malicious Crates" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure><p>Because Cargo is the default package manager for the Rust ecosystem, any vulnerability in its extraction process has wide-reaching implications. The issue lies in the way the tar crate handles symbolic links and extended headers—specifically, it did not validate that permission-setting operations were confined to the target extraction directory. An attacker could craft a crate whose archive contains entries that specify permission changes for directories outside the intended scope, such as <code>/etc</code> or <code>/usr</code>.</p><h2 id="impact-on-cratesio-users">Impact on crates.io Users</h2><p>For users of the public <strong>crates.io</strong> registry, the Rust team acted swiftly. On <strong>March 13, 2026</strong>, a server-side change was deployed that prevents the upload of any crate exploiting this vulnerability. Additionally, a thorough audit of every crate ever published to crates.io was conducted. The investigation confirmed that <strong>no crate on the registry has exploited this flaw</strong>, so users of crates.io are not at risk from existing packages.</p><p>This proactive measure ensures that developers relying on the default registry can continue to build and publish packages without concern. However, the team strongly recommends that all users remain vigilant and apply updates when they become available. For more details on secure development practices, see the <a href="#recommendations">Recommendations</a> section below.</p><h2 id="alternate-registry-users">Alternate Registry Users and Mitigations</h2><p>Organizations that use <strong>alternative registries</strong> (private mirrors, self-hosted repositories, or third-party indexes) face a different situation. Because the fix at crates.io does not extend to other registries, administrators must proactively verify whether their registry is affected. The Rust team advises contacting the vendor or maintainer of the registry to confirm that they have implemented protections against this vulnerability. If the registry has not deployed a similar block, users of older versions of Cargo may still be exposed when extracting malicious crates.</p><p>It is also important to note that the upcoming <strong>Rust 1.94.1</strong> release, scheduled for <strong>March 26, 2026</strong>, will include an updated version of the tar crate that patches the vulnerability. This update will be bundled with other non-security fixes for the Rust toolchain. However, this release alone will not protect users of older Cargo versions who download packages from unsecured alternative registries. To fully mitigate the risk, administrators should ensure their registry’s upload endpoint validates archives, and developers should upgrade to the latest stable Cargo as soon as possible.</p><h2 id="recommendations">Recommendations</h2><ul><li><strong>For crates.io users:</strong> No immediate action needed regarding existing crates, but update to Rust 1.94.1 on March 26 to benefit from the patched tar crate and other improvements.</li><li><strong>For alternative registry administrators:</strong> Implement upload-time validation similar to the one deployed on crates.io (e.g., reject archives that attempt permission changes outside the extraction root). Contact the Rust Security Response Team if assistance is needed.</li><li><strong>For all developers:</strong> Regularly audit dependencies and consider using sandboxed environments for building untrusted code. Ensure your CI/CD pipelines use the latest stable Rust toolchain.</li></ul><h2>Acknowledgments</h2><p>The Rust Security Response Team extends its gratitude to <strong>Sergei Zimmerman</strong> for discovering the underlying vulnerability in the tar crate and responsibly disclosing it to the project. <strong>William Woodruff</strong> provided direct assistance to the crates.io team in implementing the upload-time mitigations. Special thanks also go to <strong>Eric Huss</strong> for patching Cargo, <strong>Tobias Bieniek</strong>, <strong>Adam Harvey</strong>, and <strong>Walter Pearce</strong> for their work on crates.io and the audit of existing crates, as well as <strong>Emily Albini</strong> and <strong>Josh Stone</strong> for coordinating the overall response. Finally, the team acknowledges the efforts of all Rust project members who contributed to this advisory and the fast deployment of fixes.</p>