[R] De-serialization vulnerability?

Howard, Tim G (DEC) t|m@how@rd @end|ng |rom dec@ny@gov
Wed May 1 18:57:18 CEST 2024


All, 
There seems to be a hullaboo about a vulnerability in R when deserializing untrusted data:

https://hiddenlayer.com/research/r-bitrary-code-execution

https://nvd.nist.gov/vuln/detail/CVE-2024-27322

https://www.kb.cert.org/vuls/id/238194


Apparently a fix was made for R 4.4.0, but I see no mention of it in the changes report:

https://cloud.r-project.org/bin/windows/base/NEWS.R-4.4.0.html

Is this real?  Were there changes in R 4.4.0 that aren't reported?

Of course, we should *always* update to the most recent version, but I was confused why it wasn't mentioned in the release info. 

Thanks,
Tim



More information about the R-help mailing list