Is cargo affected by CVE-2023-40030?

crates.io cargo is affected in >=1.60.0 <1.72.

Is CVE-2023-40030 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.8%.

low

CVE-2023-40030

Q: Is CVE-2023-40030 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.8%.

crates.io · cargo

Summary

Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports

Severity: low
EPSS: 0.8% (p53)
Also known as: GHSA-wrrj-h57r-vx9p
Published: 2023-08-24

References

https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p
https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33
https://github.com/rust-lang/cargo/commit/f975722a0eac934c0722f111f107c4ea2f5c4365

Related advisories

CVE-2023-38497 — high · crates.io/cargo
CVE-2019-16760 — high · crates.io/cargo
CVE-2022-46176 — medium · crates.io/cargo
CVE-2022-36114 — medium · crates.io/cargo

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.