Open source programming language R patches gnarly arbitrary code exec flaw


The open source R programming language – popular among statisticians and data scientists for performing visualization, machine learning, and suchlike – has patched an arbitrary code execution hole that scored a preliminary CVSS severity rating of 8.8 out of 10.

The vulnerability, tagged CVE-2024-27322, can be exploited by tricking someone into loading a maliciously crafted RDS (R Data Serialization) file into an R-based project, or by fooling them into integrating a poisoned R package into a code base. Doing so will trigger the execution of a code payload within the file or package, which could leak the user’s files to another source, delete data, or perform other devilish activities.

The hole was closed in version 4.4.0 of R Core, which was released earlier this month – upgrading ASAP is strongly advised.

The flaw lies in how R deserializes data. R’s built-in deserialization feature, which loads information from files to unpack into data structures in memory, is insecure and can be exploited to execute arbitrary code on a victim’s machine.

Read more…