Critical Vulnerability in Rust Standard Library

Published on 11 Apr 2024

Rust has released an update to address a critical vulnerability (CVE-2024-24576) affecting the Rust standard library. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 10 out of 10.

Successful exploitation of the command injection vulnerability on a Windows system could allow an unauthenticated attacker to execute arbitrary shell commands via specially crafted batch files containing untrusted arguments.

The critical vulnerability affects all Rust versions prior to 1.77.2 on Windows if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments. No other platforms or uses on Windows are affected.

Users and administrators of affected programs are advised to update their Rust standard library to the latest version immediately.

More information is available here:

https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/