High-Severity Vulnerability in R Programming Language

Published on 03 May 2024

R Project has released updates addressing a high-severity vulnerability (CVE-2024-27322) affecting the R programming language. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 8.8 out of 10.

The vulnerability is present due to the handling process of serialisation and deserialisation in R language. Promise objects can be specially embedded with arbitrary code in the metadata of R Data Serialization (RDS) or R package files (RDX), which are then deserialised and executed.

Successful exploitation of the vulnerability could allow an unauthorised attacker to perform arbitrary code execution when victims open maliciously crafted RDS or RDX files.

The vulnerability affects R Core versions 1.4.0 to before 4.4.0.

Users and administrators of the affected product versions are advised to update to the latest versions immediately.

More information is available here:

https://nvd.nist.gov/vuln/detail/CVE-2024-27322

https://www.bleepingcomputer.com/news/security/r-language-flaw-allows-code-execution-via-rds-rdx-files/#google_vignette

https://securityaffairs.com/162591/security/r-programming-language-flaw.html