FIND-20260413-003 · 2026-04-13 · Innovation Veille
CVE-2026-33055/33056: Rust 1.94.1 Patches tar Crate Vulnerabilities in Cargo
cve
MEDIUM
Rust 1.94.1 was released on March 26, 2026 as a point release patching CVE-2026-33055 and CVE-2026-33056 in the tar crate bundled with Cargo. These affect Cargo's archive handling during dependency download. crates.io users are unaffected during normal use, but local Cargo operations on untrusted archives could be affected. ODS is already on 1.94.1 (confirmed in last-versions.json).
Source
https://api.github.com/repos/rust-lang/rust/releases/latest
ODS Impact
All ODS Rust backend services (oid, docstore, pdf-engine, billing-engine, etc.) use Cargo. Verify all CI/CD environments and developer machines are on Rust 1.94.1+.
Security Review
License: N/A | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE
Tags
rust
cargo
cve
tar
supply-chain
security