A vulnerability in the R programming language, tracked as CVE-2024-27322, enables the execution of arbitrary code when parsing specially crafted RDS and RDX files. The attack vector is very effective because RDS files or R packages are often shared between developers and data scientists, posing a significant threat in both development and production environments. The flaw involves promise objects and lazy evaluation in R, allowing attackers to embed arbitrary code that gets executed upon deserialization, potentially leading to the compromise of systems
The hidden layer team reported this issue and closely collaborated with the R team, leading to the release of a patch in R v4.4.0 to address this critical vulnerability. ```https://securityaffairs.com/162591/security/r-programming-language-flaw.html