CVE-2024-27322

Name of the Vulnerable Software and Affected Versions R versions 1.4.0 through 4.3.9

Description The R statistical programming language has a deserialization vulnerability that can occur when untrusted data is deserialized, allowing a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system when interacted with. This vulnerability can be exploited through the use of specially crafted RDS files or R packages, potentially exposing projects to supply chain attacks. The issue is related to the use of promise objects and lazy evaluation in R.

Recommendations To resolve the issue, update to R version 4.4.0 or later, as the vulnerability has been patched in this version. For versions prior to 4.4.0, consider avoiding the use of untrusted RDS files or R packages, and be cautious when loading or referencing data from unknown sources. As a temporary workaround, consider restricting access to the readRDS function or disabling the use of RDS files until a patch is applied.