Rust Cargo fixes sparse registry URL mix-up that could leak tokens

Cargo’s latest security fix closes a credential leak that came from a compatibility habit that had gone on too long. For third-party registries using the sparse index protocol, Cargo had been stripping a trailing .git from registry URLs, the same way many Git hosts treat example.com/index and example.com/index.git as the same place. That was harmless in git mode. In sparse mode, it created a path for tokens to land on the wrong server.

The Rust Security Response Team published CVE-2026-5222 on May 25, 2026, and Rust 1.96.0 shipped the fix on May 28. The vulnerable behavior affected every Cargo release shipped between Rust 1.68, when sparse registries were stabilized, and Rust 1.96. The issue does not affect crates.io, but it does matter anywhere a Cargo setup depends on a non-crates.io sparse registry, especially when multiple registries live under one domain or when authentication is layered on top of the index.

The attack path is narrow but real. A malicious registry operator could set up one sparse registry URL, then abuse Cargo’s URL normalization so that credentials intended for a different URL ending in .git were reused. If the attacker could publish to one registry and control the hosting behavior or files for the other, Cargo might send a victim’s token during a dependency fetch. The advisory says the risk is strongest when a hosting provider allows multiple registries under arbitrary names on the same domain. Sparse downloads can carry an Authorization header when auth-required is enabled in config.json, which makes the token-handling path especially sensitive.

Rust 1.96.0 changes that behavior so Cargo strips .git only for real git protocol use, not for sparse index URLs. There is no workaround for older Cargo versions, so the practical move is straightforward: upgrade now and audit how internal registries are named and hosted. If the same domain is carrying more than one registry, or if your sparse index expects authenticated downloads, this is the kind of compatibility shortcut that can turn into an unwanted token relay.

The fix was developed by Arlo Siemens and reviewed by Weihang Lo, Eric Huss, and Emily Albini. Emily Albini wrote the advisory, and Emily Albini, Josh Stone, and Manish Goregaokar coordinated disclosure. Christos Papakonstantinou received credit for reporting the issue. It landed in a release that also closed another Cargo advisory from the same week, a reminder that registry plumbing now carries enough edge cases that old Git assumptions no longer belong in sparse land.