Major security flaw in Rust on Windows

A critical security flaw within the standard library of the Rust programming language has been discovered.

It allows attackers to exploit a command injection vulnerability on Windows.

This concerns Rust’s ability to allow programs to run command-line utilities with options passed as arguments to the command.

Rust’s library for executing command-line programs does not properly escape arguments.

This could enable attackers to run arbitrary commands by passing specifically crafted arguments.

Therefore, unauthenticated attackers could execute any program on a machine without user interaction — with very little complexity.

Microsoft-owned version management system GitHub has given critical severity status to this vulnerability with a maximum CVSS base score of 10/10.

“The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected,” The Rust Security Response Working Group said in a blog post.

“Due to the complexity of cmd.exe, we didn’t identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code and changed the Command API to return an InvalidInput error when it cannot safely escape an argument.”

An update to the programming language, Rust 1.77.2, will introduce a security patch to the standard library to resolve the issue.

Latest news

Partner Content

Show comments


Share this article
Major security flaw in Rust on Windows