Statement on CVE-2024-27322

This is a brief statement on behalf or the R Core Team on the serialization bug recently reported by the cybersecurity form HiddenLayer. The bug has been reported as a vulnerability with id CVE-2024-27322.

R is a full-featured language that includes functions to interface with both the host operating system and the Internet. As with any such language, there are many ways to write code with malicious intent. Users should ensure that they only use R code and data from trusted sources and that the privileges of the account running R are appropriately limited. These basic security principles are not limited to the R language.

The ability to write malicious code in R does not imply that the language itself is insecure. The base R language is maintained by a select group of high-trust individuals in The R Core Development Team, most of whom have been working on the language for decades.

Like any open source project, we rely on our wide user base to identify bugs in the source code. We welcome all bug reports, including those with security implications. The bug report by HiddenLayer is one such example. Briefly, promises are language objects used to implement lazy evaluation. Promises constructed in R are always bound to an environment, but HiddenLayer found a way to make an unbound promise by deserializing a hacked file. This bug has been fixed in R 4.4.0 and any attack vector associated with it has been removed.

We reject the idea that there are wider security implications associated with promises or serialization, both of which are core features of the language.