A security issue with R serialization

A security issue has been found with how the R language serializes objects, and patched since.

The security issue is documented under CVE-2024-27322. It affects the serialization functions that were advertised in an earlier note.

The R Core Team recently reported that the issue has been fixed as of R 4.4.0, and that ‘any attack vector associated with it has been removed.’

This episode is a reminder that R is a programming language, and as such, that it raises the same security concerns as any other programming language.

Slightly over a decade ago, these concerns led Jeroen Ooms to develop the RAppArmor package, in order to enable users to restrict the execution environment of R through dynamic sandboxing.

Update (May 28, 2024): thanks to R Weekly for mentioning this note.

• First published on May 24th, 2024

• Other notes