A security vulnerability identified in the R programming language, assigned CVE-2024-27322, enables threat actors to execute malicious code through specially crafted RDS files, potentially leading to supply chain attacks by manipulating R packages. The flaw, resolved in version 4.4
0, revolves around lazy evaluation in R, allowing attackers to override RDS files within package repositories. Exploiting the vulnerability involves creating RDS files with arbitrary code, triggering code execution upon loading or dereferencing. Security researchers emphasize the risk of weaponizing R packages, adding them to repositories, and the automatic execution of malicious code. The exploit's discovery prompted responsible disclosure and the release of the patched version, highlighting the importance of prompt updates to mitigate such vulnerabilities. https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html