Newly Discovered R Programming Language Vulnerability Could Lead to Supply Chain Attacks

April 29, 2024

A newly identified security vulnerability in the R programming language could be exploited to execute code when a malicious RDS file is loaded and referenced. The flaw, known as CVE-2024-27322, is linked to the use of promise objects and lazy evaluation in R, according to a report by AI application security firm HiddenLayer.

RDS, similar to Python's pickle, is a format used to save and serialize the state of data structures or objects in R, an open-source language widely used for statistical computing, data visualization, and machine learning. The serialization and deserialization process, using functions like serialize(), saveRDS(), unserialize(), and readRDS(), are also used when saving and loading R packages.

The core issue with CVE-2024-27322 is that it could lead to arbitrary code execution when untrusted data is deserialized, putting users at risk of supply chain attacks through malicious R packages. An attacker could exploit this flaw by leveraging the RDS format used by R packages to save and load data, leading to automatic code execution when the package is decompressed and deserialized.

HiddenLayer warned, "R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories. For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code."

This security vulnerability has been addressed in the 4.4.0 version of R, released on April 24, 2024, following responsible disclosure. HiddenLayer further explained, "An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code. Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed."

This means that if a user assigns a symbol (variable) to an RDS file, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the arbitrary code will run when a user loads that package.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.