CVE-2024-56327

Name of the Vulnerable Software and Affected Versions pyrage versions 1.2.0 through 1.2.2

Description The issue concerns the execution of arbitrary binaries due to malicious plugin names, recipients, or identities. This can occur when a plugin name containing a path separator is provided to the age CLI or certain age APIs, such as age::plugin::Identity::from str or age::plugin::Recipient::from str. The attack requires a directory matching age-plugin-* to exist in the working directory on UNIX systems. The binary is executed with a specific flag and receives the recipient or identity string and other data as standard input, following the age-plugin protocol. An equivalent issue was fixed in the reference Go implementation of age.

Recommendations For pyrage versions 1.2.0 through 1.2.2, update to version 1.2.3 to address the issue. As a temporary workaround, consider disabling the plugin feature to minimize the risk of exploitation. Restrict access to the age-plugin-* directory to prevent the attack from succeeding. Avoid using plugin names containing path separators in the affected age APIs until the issue is resolved. At the moment, there are no other known workarounds for this vulnerability.