Rust 1.66.1 has been released, and it’s a security patch update:

• Fixed Cargo not validating SSH host keys when using SSH to clone dependencies or registry indexes.

The number for this security vulnerability is CVE-2022-46176all versions of Rust prior to 1.66.1 that include Cargo are vulnerable.

Rust 1.66.0 patch file: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176 for customizing the toolchain.

If you can’t upgrade to Rust 1.66.1 yet, the official recommendation is to configure Cargo to use the git command instead of its built-in git support. This way, all git network operations will be performed by git commands and are not affected by this vulnerability. This can be achieved through the Cargo configuration file:

[net]
git-fetch-with-cli = true

Cargo Security Advisory (CVE-2022-46176)

Rust is officially released Cargo Security Advisory (CVE-2022-46176), the Rust Security Response Working Group has learned that Cargo does not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this vulnerability to perform a man-in-the-middle (MITM) attack.

“When an SSH client establishes communication with a server, in order to prevent MITM attacks, the client should check whether it has already communicated with that server, and what the server’s public key was at that time. If the key has changed since the last connection, the connection must be aborted, as a MITM attack may occur.

Click here for details.