CVE-2023-40030
CVSS 3.1 Score 6.1 of 10 (medium)
Details
Summary
CVE-2023-40030 is a vulnerability affecting Rust's Cargo build system, specifically versions prior to 1.72. During the build process, Cargo downloads dependencies and compiles projects, generating a report with unescaped Cargo feature names using `cargo build --timings`. Malicious packages could inject nearly arbitrary HTML into these feature names, leading to potential cross-site scripting attacks if the report is uploaded to a vulnerable domain. This issue primarily impacts users relying on dependencies from git, local paths, or alternative registries, while those using only crates.io are unaffected. Rust 1.72 addressed this vulnerability by turning the future incompatibility warning into an error, but users should remain cautious when selecting dependencies due to the inherent risk of arbitrary code execution at build time. crates.io has implemented server-side checks to mitigate this threat, and no known exploits have been identified on the platform.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.