DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-99J7-FHR2-XFJ4: GHSA-99J7-FHR2-XFJ4: Malicious Remote Code Execution Payload in 'exploration' Cargo Crate

GHSA-99J7-FHR2-XFJ4: Malicious Remote Code Execution Payload in 'exploration' Cargo Crate

Vulnerability ID: GHSA-99J7-FHR2-XFJ4
CVSS Score: 10.0
Published: 2026-07-10

The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.

TL;DR

The malicious Rust crate 'exploration' was discovered performing arbitrary command execution and dynamic payload downloads during cargo compilation. It has been removed from the crates.io registry.


⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-506
  • Attack Vector: Supply Chain Compromise / Registry Abuse
  • CVSS Score: 10.0
  • Exploit Status: Active Malicious Upload (Removed)
  • KEV Status: Not Listed
  • Primary Impact: Remote Code Execution (RCE)
  • Ecosystem: Cargo (Rust)

Affected Systems

  • Rust development workstations running Cargo compilation
  • CI/CD build pipelines and containerized build runners
  • Self-hosted proxy registries caching public crates.io assets
  • exploration: >= 0.0.0-0 (Fixed in: None (Package Deleted))

Mitigation Strategies

  • Audit Cargo.toml and Cargo.lock across all internal projects for the 'exploration' dependency.
  • Clear the local Cargo registry and build cache to purge any residual files associated with the malicious crate.
  • Implement outbound network restrictions on CI/CD build environments to block unauthorized dynamic payloads.

Remediation Steps:

  1. Inspect all system dependency trees for references to the 'exploration' crate.
  2. Immediately terminate active processes on any host where 'exploration' was compiled or run.
  3. Execute 'cargo clean' and delete local registry cache directories: '~/.cargo/registry/src/' and '~/.cargo/registry/cache/'.
  4. Revoke and rotate all environment variables, SSH keys, registry credentials, and API tokens present on infected systems.
  5. Audit endpoint logs and network telemetry for outbound connections targeting unauthorized endpoints during the compilation window.

References


Read the full report for GHSA-99J7-FHR2-XFJ4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)