R Programming Bug Exposes Orgs to Vast Supply Chain Risk

The CVE-2024-27322 security vulnerability in Rs deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files.

A high-severity vulnerability in an R programming language process could expose organizations using the popular open source language to attacks via the software supply chain.
The vulnerability,
assigned CVE-2024-27322
, has a CVSS vulnerability-severity score of 8.8 out of 10. It involves Rs process for deserializing data, or converting objects encoded in formats such as JSON, XML, and binary, back to their original form for use in an application or program.
R is a relatively widely used
language for statistical computing
and graphics applications. It is popular among developers in sectors such as
financial services, healthcare, research, government
and in environments involving large datasets such as AI and machine learning. The
Comprehensive R Archive Network
(CRAN), which is the most popular R package repository, currently hosts more than 20,000 packages, while
R-Forge
, a site that provides R package development tools, has more than 15,800 registered members and hosts some 2,146 projects.
Researchers at HiddenLayer found a weakness in Rs process that gives attackers a way to execute arbitrary code in a victim environment via a specially crafted R Data Serialization (RDS) file. Programmers commonly use RDS files to store or save objects in R for future use or for sharing with others.
This vulnerability can be exploited through the loading of RDS files or R packages, which are often shared between developers and data scientists, HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a
report this week
. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction, according to the report.
The maintainers of R have addressed the issue in
R version 4.4.0
after HiddenLayer informed them of the issue.
The vulnerability in R that HiddenLayer discovered relates to two fundamental concepts in R, called lazy evaluation and promise objects.
Lazy evaluation
is a programming technique where an R program does not evaluate an expression or variable until actually required to, or when directly accessed. The goal is to improve performance by avoiding computations for expressions that might end up not being needed. A promise object is closely related to lazy evaluation and represents the object that has been delayed for evaluation.
What the researchers at HiddenLayer discovered was a way to create a promise object with a payload that would run code of their choice when the object was accessed during RDS file deserialization.
R packages leverage the RDS format to save and load data, according to HiddenLayer. Two files that facilitate this process are an .rdb file that contains all the serialized objects to be included in a package, and an .rdx file that contains metadata about each of the objects.
When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file, according to the analysis. The objects within the .rdb files are then deserialized.
An attacker can exploit this by creating an RDS file that contains a specially crafted promise object embedded with arbitrary code, Schulz tells Dark Reading. Due to the way R implements lazy evaluation, the embedded arbitrary code will be executed once a user has loaded the malicious file or package. An attacker can relatively easily add a weaponized package to an R repository such as CRAN and simply wait for an unwary user to load that package.
There are literally dozens of major hubs, such as R-Forget and
Bioconductor
, that R developers use to share and download packages. Not only are these hubs providing developers with access to thousands of packages, some, like Bioconductor, with more than 42 million downloads are being used regularly, Schulz says. Someone just needs to take advantage of the vulnerability and the massive open source space for R packages to affect thousands of downstream users in a potentially massive supply chain attack, he says.
Schulz recommends that organizations move to the latest version of R to mitigate risk: In addition, organizations should ensure that users of R are made aware of current and potential future vulnerabilities of this nature and make it policy to only use known trusted files and packages.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
R Programming Bug Exposes Orgs to Vast Supply Chain Risk