CVE-2022-36114

Name of the Vulnerable Software and Affected Versions Cargo versions prior to 1.64

Description The issue is related to Cargo, a package manager for the Rust programming language, which does not limit the amount of data extracted from compressed archives. An attacker could upload a specially crafted package to an alternate registry that extracts more data than its size, also known as a "zip bomb", exhausting the disk space on the machine using Cargo to download the package. By design, Cargo allows code execution at build time due to build scripts and procedural macros, making it possible for malicious dependencies to cause damage. The vulnerability allows performing a subset of the possible damage in a harder to track down way. Users of alternate registries are recommended to exercise care in which package they download, by only including trusted dependencies in their projects.

Recommendations For versions prior to 1.64, update to Rust 1.64 or later to fix the issue. For users of Rust 1.63.0, patch files are available in the wg-security-response repository for people building their own toolchain. As a temporary workaround, consider exercising care in which package you download, by only including trusted dependencies in your projects. Restrict access to untrusted dependencies to minimize the risk of exploitation.