{"id":"CVE-2024-56327","summary":"Malicious plugin names, recipients, or identities can cause arbitrary binary execution in pyrage","details":"pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of `pyrage` before 1.2.0 lack plugin support and are therefore **not affected**. An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory GHSA-32gq-x56h-299c. This issue has been addressed in version 1.2.3 and all users are advised to update. There are no known workarounds for this vulnerability.","aliases":["GHSA-47h8-jmp3-9f28"],"modified":"2026-04-10T05:19:54.198663Z","published":"2024-12-19T22:24:37.174Z","related":["GHSA-32gq-x56h-299c","GHSA-47h8-jmp3-9f28","GHSA-4fg7-vxc8-qx5w","GO-2024-3344"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56327.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56327.json"},{"type":"ADVISORY","url":"https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-4fg7-vxc8-qx5w"},{"type":"ADVISORY","url":"https://github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56327"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/FiloSottile/age","events":[{"introduced":"0"},{"fixed":"bbe6ce5eeb1bb70cfc705d0961c943f0dd637ffd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.0"}]}}],"versions":["v1.0.0","v1.0.0-beta1","v1.0.0-beta2","v1.0.0-beta3","v1.0.0-beta4","v1.0.0-beta5","v1.0.0-beta6","v1.0.0-beta7","v1.0.0-rc.1","v1.0.0-rc.2","v1.0.0-rc.3","v1.1.0","v1.1.0-rc.1","v1.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56327.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/woodruffw/pyrage","events":[{"introduced":"ec398c4a38a1d2e184458c96153df89e606b0ba5"},{"fixed":"2a9bffd953403684b384b95ca93e345b3ecc9bd5"}],"database_specific":{"versions":[{"introduced":"1.2.0"},{"fixed":"1.2.3"}]}}],"versions":["v1.2.0","v1.2.1","v1.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56327.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}