CVE-2024-53256

Name of the Vulnerable Software and Affected Versions Rizin versions prior to 0.7.4

Description Rizin is a UNIX-like reverse engineering framework and command-line toolset. A code snippet in rizin.c suffered a command injection due to the usage of rz core cmdf to invoke the command m which was removed in v0.1.x. A malicious binary defining bclass (part of RzBinInfo) is executed if rclass (part of RzBinInfo) is set to fs; the issue can be exploited by any bin format where bclass and rclass are user defined.

Recommendations For versions prior to 0.7.4, update to version 0.7.4 to resolve the issue. As a temporary workaround, consider restricting the use of user-defined bclass and rclass in bin formats to minimize the risk of exploitation. Avoid using the rz core cmdf function to invoke commands until the issue is resolved.