Code execution vulnerability found in R language

2 Min Read

Researchers have discovered a serious security vulnerability in the R programming language that could allow arbitrary code to be executed. Given the extensive application of this language, especially for AI/ML projects, the vulnerability could have a huge impact after malicious exploitation. Users were urged to update their systems with the latest R Core release to receive the patch.

Vulnerability in the R language can have widespread consequences

According to a recent report from HiddenLayer, their researchers found a serious vulnerability when executing code in the R programming language.

As explained, the vulnerability existed due to the deserialization of untrusted data, and involves the use of promise objects and lazy evaluation in R. A threat actor could exploit the flaw by tricking the victim user into creating a maliciously crafted RDS (R Data Serialization) formatted file or R package. Once done, the malicious file would execute arbitrary malicious R codes on the target machine.

While this sounds trivial, exploiting the flaw requires input from the victim user. Exploiting the flaw would therefore require social engineering the victim. Nevertheless, potential attackers could also consider deploying the maliciously crafted R packages on public repositories to target unsuspecting users.

The vulnerability has been assigned the CVE ID CVE-2024-27322, with a high severity rating and a CVSS score of 8.8. HiddenLayer researchers presented the detailed technical analysis of the flaw in their post, in addition to sharing the following video demonstrating the exploit.

Patch implemented

Following the vulnerability report, the R Core developers patched the flaw with the latest release. In addition, CERT/CC has also issued a warning for R users, warning them of the error. Therefore, users are advised to update to R Core v4.4.0, which the developers assure has adequately fixed the bug. According to their statement to The registerthe patched R Core version removes any attack vector for the vulnerability, eliminating the possibility of widespread implications.

See also  Code of conduct for grocers could help stabilize food prices: Head of Kraft Heinz Canada - National

Let us know your thoughts in the comments.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *