---
title: "Statement on CVE-2024-27322"
AUTHOR: "Martyn Plummer"
date: 2024-05-10
categories: ["Security", "Internals"]
tags: ["bugs", "CVE"]

---

```{r setup, include=FALSE}
knitr::opts_chunk$set(collapse = TRUE)
```

*This is a brief statement on behalf or the R Core Team on the
serialization bug recently reported by the cybersecurity form
HiddenLayer.  The bug has been reported as a vulnerability with
id [CVE-2024-27322](https://www.cve.org/CVERecord?id=CVE-2024-27322).*

R is a full-featured language that includes functions to interface
with both the host operating system and the Internet. As with any such
language, there are many ways to write code with malicious
intent. Users should ensure that they only use R code and data from
trusted sources and that the privileges of the account running R are
appropriately limited. These basic security principles are not limited
to the R language.

The ability to write malicious code in R does not imply that the
language itself is insecure. The base R language is maintained by a
select group of high-trust individuals in The R Core Development Team,
most of whom have been working on the language for decades.

Like any open source project, we rely on our wide user base to
identify bugs in the source code.  We welcome all bug reports,
including those with security implications. The bug report by
HiddenLayer is one such example. Briefly, promises are language
objects used to implement lazy evaluation. Promises constructed in R
are always bound to an environment, but HiddenLayer found a way to
make an unbound promise by deserializing a hacked file. This bug has
been fixed in R 4.4.0 and any attack vector associated with it has
been removed.

We reject the idea that there are wider security implications
associated with promises or serialization, both of which are core
features of the language.