JFrog Security Research
< Back

- Rust Cargo zip-bomb DoS

CVE-2022-36114 | CVSS 4.8

JFrog Severity:low

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 14 Sep, 2022 | Last updated 14 Sep, 2022

Cargo is vulnerable to zip-bomb attacks when a user downloads a malicious package from sources other than crates.io


Rust (,1.63], fixed in Rust 1.64

Rust uses Cargo as its package manager. Cargo, by default, downloads "crates" from crates.io. Crates are essentially TAR files compressed with GZip. Crates.io limits the decompression size of uploaded crates to avoid zip bombs.

On the other hand, the Cargo client does not apply a size limit on crates that it downloads from the registry. Although it might be safe to assume that crates downloaded from crates.io are fine due to the tests mentioned above, crates downloaded from other sources cannot be assumed to be safe. An attacker could upload to an alternate registry a specially crafted package that extracts significantly more data than its size, exhausting the memory space of the Cargo process and/or the disk space on the machine that uses Cargo to download the package.

No PoC is supplied for this issue

Users of alternate registries should exercise care in which packages they download, by only including trusted dependencies in their projects.

(Rust) Security advisories for Cargo (CVE-2022-36113, CVE-2022-36114)


< Back