CVE-2023-40030

Name of the Vulnerable Software and Affected Versions Rust versions 1.60.0 through 1.71

Description The issue arises from Cargo not escaping Cargo feature names when including them in the report generated by cargo build --timings. This allows a malicious package included as a dependency to inject nearly arbitrary HTML, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected. The vulnerability can be exploited by injecting Javascript into the page, for example with a feature name like features = ["<img src='' onerror=alert(0)"]. If this report were subsequently uploaded to a domain that uses credentials, the injected Javascript could access resources from the website visitor.

Recommendations For Rust versions 1.60.0 through 1.71, update to Rust 1.72 or later to fix the issue. As a general precaution, users should exercise care in which package they download, by only including trusted dependencies in their projects.