📌Vulnerability Identification: The critical security vuln is identified as ”BatBadBut” and is tracked under CVE-2024–24576
📌Affected Software: The vuln exists in the Rust standard library and specifically affects Windows systems
📌Severity Rating: It has been given the highest severity rating with CVSS score of 10.0, indicating maximum severity
📌Vulnerability Details: The flaw arises from the Rust standard library not properly escaping arguments when invoking batch files on Windows using the Command API. This could allow an attacker to execute arbitrary shell commands by bypassing the escaping
📌Conditions for Exploitation: Successful exploitation requires specific conditions: execution of a command on Windows, the command does not specify the file extension or uses .bat or .cmd, the command contains user-controlled input as part of the command arguments, and the runtime fails to escape the command arguments properly for cmd.exe
📌Affected Versions: All versions of Rust before 1.77.2 on Windows are impacted by this vulnerability
📌Broader Impact: The vulnerability also affects other programming languages, including Erlang, Go, Haskell, Java, Node.js, PHP, Python, and Ruby, though not all have released patches
📌Mitigation Recommendations: Users are advised to move batch files to a directory not included in the PATH environment variable to prevent unexpected execution. Developers should upgrade to Rust version 1.77.2 to patch the vulnerability
📌Discovery and Reporting: The vulnerability was discovered by a security engineer from Flatt Security known as RyotaK and reported to the CERT Coordination Center (CERT/CC)
📌Response from Rust: The Rust Security Response Working Group acknowledged the issue and has since improved the robustness of the escaping code and modified the Command API to return an InvalidInput error if an argument cannot be safely escaped
📌Other Languages’ Response: Patches have been released by maintainers of Haskell, Node.js, PHP, and yt-dlp to address the command injection bug