CVE-2026-5223
Symlink Override in Cargo Crate Tarballs
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: rust
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Cargo, a package manager, incorrectly handling symbolic links (symlinks) inside crate tarballs downloaded from third-party registries. This flaw allows a malicious crate to override the source code of another crate from the same registry by exploiting the symlink handling.
Users of the official crates.io registry are not affected because crates.io forbids uploading crates that contain any symlinks.
How can this vulnerability impact me? :
The vulnerability can lead to a malicious crate overriding the source code of another crate from the same third-party registry. This can result in unexpected or harmful code execution when using affected crates, potentially compromising the security and integrity of software projects that rely on these crates.
The severity is considered medium for users of third-party registries, but users relying solely on crates.io are not impacted.