UNIX Symbolic Link (Symlink) Following Affecting cargo package, versions >=0.0.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-CARGO-16874179
- published25 May 2026
- disclosed25 May 2026
- creditUnknown
Introduced: 25 May 2026
NewCVE-2026-5223 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
cargo is a Cargo, a package manager for Rust.
Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the extraction process of crate tarballs containing symlinks from third-party registries. An attacker can cause the cached source of another crate to be overridden by crafting a malicious crate with symlinks that target files of other crates during extraction. This is only exploitable if crates are sourced from third-party registries that permit symlinks in crate tarballs.
Workaround
This vulnerability can be mitigated by auditing the contents of the registry for the presence of any symlink and configuring the registry to reject symlinks if such an option is available.