CVE-2024-27322
published 2024-04-29CVE-2024-27322: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling…
PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
23.62%
97.5th percentile
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | r-base | < r-base 4.4.0-2 (forky) | r-base 4.4.0-2 (forky) |
| msrc | azl3_r_4.3.2-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_r_4.4.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_r_4.1.0-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| the_r_project | r | >= 1.4.0 < 4.4.0 | 4.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for invocation of the R `readRDS` function on unverified or externally sourced files, which is the deserialization entry point exploited by CVE-2024-27322. ↗
- →Detect promise objects with embedded expressions in RDS file metadata, as these are the mechanism used to achieve arbitrary code execution during deserialization. ↗
- →Flag downloads of RDS/RDX files or R packages from public repositories (e.g., CRAN) for inspection, as attackers may distribute malicious packages passively and wait for victims to download them. ↗
- →Alert on R versions 1.4.0 through 4.3.x in the environment; any host running these versions is vulnerable to exploitation via malicious RDS/RDX files. ↗
- ·The vulnerability is exploited specifically through R's lazy evaluation mechanism for promise objects during deserialization; R 4.4.0 mitigates this by restricting promises in the serialization stream. ↗
- ·Exploitation requires a social engineering component (victim must open the malicious file), but passive supply-chain distribution via public repositories is also a viable attack vector. ↗
- ·Debian bookworm and bullseye remain unpatched (open); forky, sid, and trixie are resolved at version 4.4.0-2. Environments running these Debian releases should be prioritized for patching. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8LOW
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-82x4-8q4x-2qxv: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1
ghsa_unreviewed·2024-04-29
CVE-2024-27322 [HIGH] CWE-502 GHSA-82x4-8q4x-2qxv: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
OSV
CVE-2024-27322: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1
osv·2024-04-29·CVSS 8.8
CVE-2024-27322 [HIGH] CVE-2024-27322: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Microsoft
R Language Vulnerable to Arbitrary Code Execution via Malicious RDS Files (v1.4.0–<4.4.0)
vendor_msrc·2024-04-09·CVSS 8.8
CVE-2024-27322 [HIGH] CWE-502 R Language Vulnerable to Arbitrary Code Execution via Malicious RDS Files (v1.4.0–<4.4.0)
R Language Vulnerable to Arbitrary Code Execution via Malicious RDS Files (v1.4.0–Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
HiddenLayer: HiddenLayer
Customer Action Required: Yes
Remediation: CBL-Mariner Re
Debian
CVE-2024-27322: r-base - Deserialization of untrusted data can occur in the R statistical programming lan...
vendor_debian·2024·CVSS 8.8
CVE-2024-27322 [HIGH] CVE-2024-27322: r-base - Deserialization of untrusted data can occur in the R statistical programming lan...
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.4.0-2)
sid: resolved (fixed in 4.4.0-2)
trixie: resolved (fixed in 4.4.0-2)
No detection rules found.
No public exploits indexed.
Checkpoint
6th May – Threat Intelligence Report
blogs_checkpoint·2024-05-06
CVE-2024-26304 6th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
In a joint statement with Germany and NATO, the Czech Republic uncovered a cyber espionage campaign by Russian state affiliated actor APT28. These cyber-attacks targeted Czech institutions using a new vulnerability in Microsoft Outlook. APT28, linked to Russian military intelligence, is involved in a long-term espionage campaign
Bleepingcomputer
R language flaw allows code execution via RDS/RDX files
blogs_bleepingcomputer·2024-04-30·CVSS 8.8
[HIGH] R language flaw allows code execution via RDS/RDX files
## R language flaw allows code execution via RDS/RDX files
## Bill Toulas
A new vulnerability has been discovered in the R programming language that allows arbitrary code execution upon deserializing specially crafted RDS and RDX files.
R is an open-source programming language that is particularly popular among statisticians and data miners who develop and use custom data analysis models, and it is also seeing increased adoption by the emerging AI/ML field.
Researchers at HiddenLayer recently discovered a vulnerability in R, tracked as CVE-2024-27322 (CVSS v3: 8.8), that enables attackers to run arbitrary code on target machines when the victim opens R Data Serialization (RDS) or R package files (RDX).
The vulnerability exploits the way R handles serialization ('saveRDS') and deserial
http://www.openwall.com/lists/oss-security/2024/04/29/3https://hiddenlayer.com/research/r-bitrary-code-execution/https://https://kb.cert.org/vuls/id/238194https://lists.fedoraproject.org/archives/list/[email protected]/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/https://lists.fedoraproject.org/archives/list/[email protected]/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/https://www.kb.cert.org/vuls/id/238194http://www.openwall.com/lists/oss-security/2024/04/29/3https://hiddenlayer.com/research/r-bitrary-code-execution/https://https://kb.cert.org/vuls/id/238194https://lists.fedoraproject.org/archives/list/[email protected]/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/https://lists.fedoraproject.org/archives/list/[email protected]/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/https://www.kb.cert.org/vuls/id/238194
2024-04-29
Published