CVE-2022-36113: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in rust-lang cargo
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
AI Analysis
Technical Summary
CVE-2022-36113 is a medium-severity path traversal vulnerability affecting Cargo, the package manager for the Rust programming language. Cargo downloads Rust packages and extracts their source code into the ~/.cargo directory. To mark successful extraction, Cargo writes the string "ok" into a file named .cargo-ok at the root of the extracted package. The vulnerability arises because Cargo does not properly restrict symbolic links within packages. Specifically, if a package contains a .cargo-ok symbolic link pointing to an arbitrary file elsewhere on the filesystem, Cargo will follow this symlink and overwrite the first two bytes of the target file with "ok" during extraction. This allows an attacker to corrupt arbitrary files on the victim's machine where Cargo is run. The vulnerability affects all Cargo versions prior to 0.65.0 and version 0.66.0. Although the impact is limited to partial file corruption (overwriting only two bytes), this can cause unpredictable behavior or data corruption in critical files. The flaw is a subset of the broader risk posed by Cargo’s design, which inherently allows arbitrary code execution at build time via build scripts and procedural macros. Thus, while this vulnerability enables a stealthier and harder-to-detect attack vector, it does not expand the fundamental attack surface beyond what malicious build scripts already permit. The Rust 1.64 release includes a fix for this issue, but no backported patches are provided for earlier Rust versions. Users building their own toolchains can apply patches from the wg-security-response repository. The official crates.io registry has server-side checks that reject packages exploiting this vulnerability, and no known exploits have been observed in the wild. However, users of alternate registries or untrusted packages remain at risk. Overall, the vulnerability is a path traversal flaw (CWE-22) that allows limited arbitrary file corruption during package extraction, compounding the inherent risks of Cargo’s build-time code execution model.
Potential Impact
For European organizations, the impact of CVE-2022-36113 is primarily related to the integrity of development environments and build pipelines that use Cargo. Since Cargo is widely used in Rust development, organizations relying on Rust for critical applications or infrastructure could face subtle file corruption leading to build failures, corrupted binaries, or compromised software integrity. Although the vulnerability does not directly enable remote code execution beyond what build scripts already allow, it can be used to tamper with files in a stealthy manner, complicating forensic analysis and incident response. This could undermine trust in software supply chains, especially in sectors with stringent software integrity requirements such as finance, telecommunications, and critical infrastructure. The lack of known exploits in the wild and the presence of server-side checks on crates.io reduce immediate risk, but organizations using private or alternate registries may be more exposed. Additionally, since Cargo’s design inherently permits arbitrary code execution at build time, this vulnerability adds a subtle attack vector that could be leveraged by sophisticated threat actors targeting European software development environments. The potential impact includes disruption of software builds, introduction of hard-to-detect corruption in source or configuration files, and erosion of supply chain security assurances.
Mitigation Recommendations
1. Upgrade Cargo to version 0.65.0 or later, or Rust 1.64 or later, where the vulnerability is fixed. If using custom toolchains, apply the patches available in the wg-security-response repository. 2. Restrict usage of alternate package registries and only include dependencies from trusted sources. Implement strict vetting and code review processes for third-party Rust packages, especially those from non-official registries. 3. Employ reproducible builds and integrity verification techniques such as checksums or signatures on dependencies to detect tampering or corruption caused by this vulnerability. 4. Monitor build environments for unexpected file modifications, particularly in ~/.cargo directories, using file integrity monitoring tools. 5. Isolate build environments using containerization or sandboxing to limit the impact of any file corruption or malicious build scripts. 6. Educate development teams about the inherent risks of build-time code execution in Cargo and enforce policies to minimize inclusion of untrusted dependencies. 7. For organizations running continuous integration pipelines, implement automated scanning of dependencies for known vulnerabilities and suspicious package contents, including symbolic links that could lead to path traversal. 8. Maintain up-to-date backups of critical build environment files to enable recovery from potential corruption.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-36113: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in rust-lang cargo
Description
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
AI-Powered Analysis
Technical Analysis
CVE-2022-36113 is a medium-severity path traversal vulnerability affecting Cargo, the package manager for the Rust programming language. Cargo downloads Rust packages and extracts their source code into the ~/.cargo directory. To mark successful extraction, Cargo writes the string "ok" into a file named .cargo-ok at the root of the extracted package. The vulnerability arises because Cargo does not properly restrict symbolic links within packages. Specifically, if a package contains a .cargo-ok symbolic link pointing to an arbitrary file elsewhere on the filesystem, Cargo will follow this symlink and overwrite the first two bytes of the target file with "ok" during extraction. This allows an attacker to corrupt arbitrary files on the victim's machine where Cargo is run. The vulnerability affects all Cargo versions prior to 0.65.0 and version 0.66.0. Although the impact is limited to partial file corruption (overwriting only two bytes), this can cause unpredictable behavior or data corruption in critical files. The flaw is a subset of the broader risk posed by Cargo’s design, which inherently allows arbitrary code execution at build time via build scripts and procedural macros. Thus, while this vulnerability enables a stealthier and harder-to-detect attack vector, it does not expand the fundamental attack surface beyond what malicious build scripts already permit. The Rust 1.64 release includes a fix for this issue, but no backported patches are provided for earlier Rust versions. Users building their own toolchains can apply patches from the wg-security-response repository. The official crates.io registry has server-side checks that reject packages exploiting this vulnerability, and no known exploits have been observed in the wild. However, users of alternate registries or untrusted packages remain at risk. Overall, the vulnerability is a path traversal flaw (CWE-22) that allows limited arbitrary file corruption during package extraction, compounding the inherent risks of Cargo’s build-time code execution model.
Potential Impact
For European organizations, the impact of CVE-2022-36113 is primarily related to the integrity of development environments and build pipelines that use Cargo. Since Cargo is widely used in Rust development, organizations relying on Rust for critical applications or infrastructure could face subtle file corruption leading to build failures, corrupted binaries, or compromised software integrity. Although the vulnerability does not directly enable remote code execution beyond what build scripts already allow, it can be used to tamper with files in a stealthy manner, complicating forensic analysis and incident response. This could undermine trust in software supply chains, especially in sectors with stringent software integrity requirements such as finance, telecommunications, and critical infrastructure. The lack of known exploits in the wild and the presence of server-side checks on crates.io reduce immediate risk, but organizations using private or alternate registries may be more exposed. Additionally, since Cargo’s design inherently permits arbitrary code execution at build time, this vulnerability adds a subtle attack vector that could be leveraged by sophisticated threat actors targeting European software development environments. The potential impact includes disruption of software builds, introduction of hard-to-detect corruption in source or configuration files, and erosion of supply chain security assurances.
Mitigation Recommendations
1. Upgrade Cargo to version 0.65.0 or later, or Rust 1.64 or later, where the vulnerability is fixed. If using custom toolchains, apply the patches available in the wg-security-response repository. 2. Restrict usage of alternate package registries and only include dependencies from trusted sources. Implement strict vetting and code review processes for third-party Rust packages, especially those from non-official registries. 3. Employ reproducible builds and integrity verification techniques such as checksums or signatures on dependencies to detect tampering or corruption caused by this vulnerability. 4. Monitor build environments for unexpected file modifications, particularly in ~/.cargo directories, using file integrity monitoring tools. 5. Isolate build environments using containerization or sandboxing to limit the impact of any file corruption or malicious build scripts. 6. Educate development teams about the inherent risks of build-time code execution in Cargo and enforce policies to minimize inclusion of untrusted dependencies. 7. For organizations running continuous integration pipelines, implement automated scanning of dependencies for known vulnerabilities and suspicious package contents, including symbolic links that could lead to path traversal. 8. Maintain up-to-date backups of critical build environment files to enable recovery from potential corruption.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-07-15T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9845c4522896dcbf3e7f
Added to database: 5/21/2025, 9:09:25 AM
Last enriched: 6/22/2025, 9:49:55 PM
Last updated: 8/7/2025, 12:45:12 PM
Views: 18
Related Threats
CVE-2025-9002: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9001: Stack-based Buffer Overflow in LemonOS
MediumCVE-2025-8867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iqonicdesign Graphina – Elementor Charts and Graphs
MediumCVE-2025-8680: CWE-918 Server-Side Request Forgery (SSRF) in bplugins B Slider- Gutenberg Slider Block for WP
MediumCVE-2025-8676: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bplugins B Slider- Gutenberg Slider Block for WP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.