CVE-2024-24576

Name of the Vulnerable Software and Affected Versions Rust versions prior to 1.77.2

Description A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability allows attackers to execute arbitrary shell commands by bypassing the escaping of arguments when invoking batch files on Windows using the Command API. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected.

The Command::arg and Command::args APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. However, on Windows, the implementation is more complex due to the Windows API only providing a single string containing all the arguments to the spawned process. The standard library implements custom escaping for arguments passed to batch files, but it was reported that this escaping logic was not thorough enough, allowing malicious arguments to result in arbitrary shell execution.

Recommendations To resolve the issue, update to Rust 1.77.2 or later. If you are using a version prior to 1.77.2, consider disabling the execution of batch files or restricting the use of the Command API until a patch is available. Additionally, be cautious when passing untrusted input as arguments to the Command API, as this could lead to command injection attacks. If you implement the escaping yourself or only handle trusted inputs on Windows, you can also use the CommandExt::raw arg method to bypass the standard library's escaping logic.