VU#238194: R Programming Langu... Note

VU#238194: R Programming Language implementations are vulnerable to arbitrary code execution during deserialization of .rds and .rdx files

A vulnerability in the R language has been discovered, allowing for arbitrary code execution after deserialization of untrusted data. This vulnerability affects RDS and .rdx files, which can be exploited by attackers to execute malicious commands on victim devices. R supports data serialization and lazy evaluation through Promise objects, which can be exploited when loaded with malicious code. An attacker can distribute malicious .rds and .rdx files using social engineering, and the code can access resources and exfiltrate data. The R project has released R Core Version 4.4.0 to address this vulnerability, restricting promises in serialization streams. Users should apply updates and use untrusted files in a sandbox environment to prevent unexpected access. The vulnerability was reported by Kasimir Schulz and Kieran Evans of HiddenLayer, and the document was written by Christopher Cullen.