Critical Vulnerability in Rust's Package Manager
A severe security flaw in the tar crate, a core component of Rust's Cargo package manager, could let attackers modify file permissions on any directory during package extraction, the Rust Security Response Team warned today.
The vulnerability, tracked as CVE-2026-33056, affects all versions of the tar crate used by Cargo to unpack .crate files during builds. A malicious crate can exploit this to change permissions on arbitrary directories, which could enable privilege escalation or data tampering.
Mitigation Already Deployed for crates.io
For users of the official crates.io registry, the Rust team implemented a server-side filter on March 13 to block uploads that attempt to exploit the flaw. An audit of every crate ever published found no evidence of exploitation in the public registry.
“We can confirm that no crates on crates.io are exploiting this vulnerability,” said Emily Albini, Rust Security Response Team member. “We strongly recommend that operators of alternate registries verify their status and contact us for guidance.”
Patch Schedule and Advisory for Alternate Registries
Rust will release version 1.94.1 on March 26, 2026, which includes a patched version of the tar crate along with other non‑security fixes. However, this update only protects users who upgrade their toolchain.
Users of alternate registries (private or third‑party) must contact their registry vendor directly to determine if they are affected. Older Cargo versions relying on unpatched registries remain vulnerable even after the Rust release.
“If you rely on a private registry, your exposure depends entirely on your vendor’s patching status,” Albini added. “Do not wait for a general update; take action now.”
Background: The Role of the tar Crate in Cargo
Cargo is Rust’s package manager and build system. It downloads dependencies in .crate compressed archives and extracts them using the tar crate. The vulnerability allows an attacker to set arbitrary file permissions on the filesystem during this extraction.
Because Cargo often runs with the privileges of the current user, a successful attack could modify system‑wide directories or sensitive files, leading to further compromise.
What This Means
For public registry users: The immediate risk is minimal. The crates.io team has blocked malformed uploads and verified no prior exploitation. Still, users should update to Rust 1.94.1 when it becomes available to benefit from the permanent fix.
For alternative registry users: This is a high‑priority security alert. Organizations running private registries must ensure their tar crate version is patched or their registry software has applied equivalent mitigations. Until then, every crate extraction carries a risk of permission escalation.
The incident underscores the importance of supply chain security in package management. Even trusted components like the tar crate can introduce vulnerabilities if not rigorously maintained.
Credits and Acknowledgments
The Rust Security Response Team thanked Sergei Zimmerman for discovering the underlying tar crate vulnerability and for responsible disclosure. William Woodruff directly assisted the crates.io team with mitigations.
Additional contributors include Eric Huss (patching Cargo), Tobias Bieniek, Adam Harvey, and Walter Pearce (patching crates.io and analyzing existing crates), Emily Albini and Josh Stone (response coordination), and Emily Albini (advisory writing).