Dewey Dunnington

Name of the Vulnerable Software and Affected Versions: Apache Arrow R package versions 4.0.0 through 16.1.0 Description: The issue is related to the deserialization of untrusted data in IPC and Parquet readers, which allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather, or Parquet data from untrusted sources, such as user-supplied input files. This vulnerability only affects the Apache Arrow R package, not other Apache Arrow implementations or bindings, unless those bindings are specifically used via the R package. Recommendations: To resolve the issue, users of the Apache Arrow R package should upgrade to version 17.0.0 or later. Similarly, downstream libraries should upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can be read into a Table, and its internal `to data frame()` method can be used as a workaround, for example, `read parquet(..., as data frame = FALSE)$to data frame()`.