A critical security vulnerability in the Rust standard library exposes Windows systems to command injection attacks, identified as CVE-2024-24576. This flaw arises from weaknesses in OS command and argument injection, enabling threat actors to execute unexpected commands on affected operating systems. GitHub has rated this vulnerability with a maximum CVSS base score of 10/10, highlighting its severity.
The Rust Security Response working group was notified of the issue, noting that improper argument escaping when invoking batch files on Windows with the Command API can lead to arbitrary shell command execution. Attackers can exploit this flaw remotely and without user interaction, posing a significant risk to affected systems. Notably, the severity of the vulnerability is critical when invoking batch files on Windows with untrusted arguments.
All Rust versions before 1.77.2 on Windows are susceptible if a program or its dependencies execute batch files with untrusted arguments. To address the vulnerability, the Rust security team enhanced the escaping code’s robustness and modified the Command API to mitigate potential exploitation. Additionally, the team advises moving batch files to directories not included in the PATH environment variable to prevent unexpected executions.
