Critical Rust Vulnerability Enables Windows Command Injection, Impacts Multiple Languages
-
Critical Rust vulnerability (CVE-2024-24576) enables Windows command injection attacks by not properly escaping arguments when invoking batch files.
-
Flaw bypasses escaping and lets attackers execute arbitrary commands on the OS with maximum CVSS score of 10/10.
-
Impacts Rust versions before 1.77.2 on Windows if invoking batch files with untrusted arguments.
-
Rust team couldn't fully escape arguments in all cases, so improved escaping code and now returns errors.
-
Vulnerability also impacts Erlang, Go, Haskell, Java, Node.js, PHP, Python, and Ruby, though not all have patches yet.