top of page
  • Ace

R Programming Language Flaw Allows Code Execution via RDS/RDX Files

A new vulnerability has been discovered in the R programming language that allows code execution upon deserializing specially crafted RDS and RDX files.

What is R programming language?

R is an open-source programming language that is particularly popular among statisticians and data miners who develop and use custom data analysis models, and it is also seeing increased adoption by the emerging AI/ML field.

Researchers at HiddenLayer recently discovered a vulnerability in R, tracked as "CVE-2024-27322", that enables attackers to run arbitrary code on target machines when the victim opens R Data Serialization (RDS) or R package files (RDX).

The vulnerability exploits the way R handles serialization ('saveRDS') and deserialization ('readRDS'), particularly through promise objects and "lazy evaluation". Attackers can embed promise objects with arbitrary code in the RDS file metadata in the form of expressions, which are evaluated during deserialization, resulting in the code's execution.

Impact and Mitigation

HiddenLayer explains that CVE-2024-27322 has far-reaching implications due to its extensive use in critical sectors and the large number of packages deployed in data analysis environment without sufficient checks.

CERT/CC has issued an alert to warn projects and organizations that use R and the readRDS function on unverified packages of the need to update to R Core version 4.4.0, which addresses CVE-2024-27322.

(R Core v4.4.0 introduces restrictions on using promises in the serialization stream, preventing arbitrary code execution.)

Organizations that cannot upgrade immediately or want to implement additional security layers should run RDS/RDX files in isolated environments such as sandboxes and containers to prevent code execution on the underlying system.

For any enquiries, give us a call at 6262 0402 or email us at

3 views0 comments


bottom of page