Overview: A Serious Flaw in Cargo's Package Extraction
The Rust Security Response Team recently disclosed a vulnerability affecting the tar crate, a third-party dependency used by Cargo to extract package archives during builds. Designated as CVE-2026-33056, this flaw could allow a malicious crate to alter permissions on arbitrary directories on the filesystem when Cargo unpacks it. While the attack requires a developer to build a crate from an untrusted source, the potential impact—unauthorized modification of system or project directory permissions—raises serious concerns for supply chain security.
How the Vulnerability Works
The tar crate processes archive entries and applies metadata (such as file permissions) during extraction. The vulnerability stems from a failure to adequately validate symbolic links or path traversal patterns within archives. By crafting a tar entry that points to an arbitrary directory outside the intended extraction target, an attacker can cause Cargo to execute permission changes (e.g., chmod) on that external directory. This could lead to privilege escalation, persistent backdoors, or disruption of development workflows.
Scope of Impact
The flaw is present in all versions of the tar crate prior to the patched release included in Rust 1.94.1. It affects any Cargo workflow that extracts packages from registries or local archives. However, the degree of risk depends on the registry source:
- crates.io (public registry): The Rust team deployed a mitigation on March 13, 2026, preventing upload of crates that exploit this vulnerability. Additionally, a comprehensive audit of all ever published crates found no evidence of exploitation. Users of crates.io are therefore not at risk from malicious packages hosted there.
- Alternate registries: If your organization or project uses a private or third-party registry (e.g., a self-hosted instance of Gitea or Cloudsmith), you must verify with the registry vendor whether they have applied equivalent mitigations. Without such safeguards, older versions of Cargo may still be vulnerable when fetching packages from those sources.
Official Fix and Timeline
The Rust team will release Rust 1.94.1 on March 26, 2026, which updates Cargo to use a patched version of the tar crate. This release also includes other non-security fixes for the Rust toolchain. However, it is important to note that the patch only protects users who upgrade their toolchain; developers stuck on older Rust versions (e.g., due to corporate policies or legacy projects) will remain vulnerable if they fetch crates from untrusted alternate registries.
Recommended Actions
For All Users
- Update your Rust toolchain to 1.94.1 as soon as it becomes available. This is the only comprehensive fix for Cargo.
- If you maintain a private registry, contact the vendor and confirm they have implemented upload-time validation similar to crates.io’s March 13th measure.
For Registry Operators
- Audit your crate upload pipeline for path traversal and symbolic link handling. The crates.io team’s approach (blocking malicious uploads) can serve as a reference.
- Consider patching your Cargo integration or even backporting the tar crate fix to your platform.
For Security Teams
- Review your organization’s dependency extraction logic. If you mirror crates to an internal registry, ensure you are not reprocessing the original tar archives without proper sanitization.
Credits and Acknowledgments
The Rust Security Response Team extends its gratitude to Sergei Zimmerman for discovering the underlying tar crate vulnerability and responsibly disclosing it ahead of time. William Woodruff directly assisted the crates.io team with implementing the mitigations. The following project members contributed to the response:
- Eric Huss – patched Cargo.
- Tobias Bieniek, Adam Harvey, Walter Pearce – patched crates.io and analyzed existing crates.
- Emily Albini, Josh Stone – coordinated the response.
- Emily Albini – authored this advisory.
Conclusion
The CVE-2026-33056 vulnerability highlights the importance of supply chain hygiene and timely updates. While crates.io users are protected, all Rust developers should upgrade to Rust 1.94.1 to ensure their toolchain is secure against this and other future threats. For alternate registries, proactive communication with vendors is essential until universal patching is complete. The Rust community’s rapid and coordinated response sets a strong example for open-source security.