Rust programming language on Windows vulnerable to command injection
Take action: This is a very specific exploit scenario, but it's not impossible to achieve. The longer you keep your Rust version unpatched, the more exploit vectors will be created. Updating Rust is nearly trivial (rustup update), so it's smart to run it.
Learn More
A critical vulnerability is reported in the Rust standard library impacting Windows systems through the potential for command injection attacks.
Tracked as CVE-2024-24576 (CVSS score 10), the flaw – codenamed BatBadBut – can impact impacts several programming languages stems from the library's failure to properly escape arguments when calling batch files with `.bat` and `.cmd` extensions through the Command API on Windows. This allows attackers, without needing authentication or user interaction, to execute arbitrary commands on the operating system remotely with low complexity.
The flaw is critical for users who invoke batch files on Windows using untrusted arguments; however, it does not affect any other platform or usage scenario.
Rust versions prior to 1.77.2 on Windows are susceptible if the program or any of its dependencies executes batch files with untrusted inputs.
The updated Command API from Rust 1.77.2 onward if unable to safely escape an argument while initiating the process, will issue an `InvalidInput` error, thus refusing to proceed with potentially unsafe operations.
For those who must bypass the standard library's escaping logic, either due to requirements for handling trusted inputs or implementing their own escaping mechanisms, the `CommandExt::raw_arg` method is available.
All users of Rust programming language are advised to update to 1.77.2
