{"id":"RUSTSEC-2024-0432","summary":"Malicious plugin names, recipients, or identities can cause arbitrary binary execution","details":"A plugin name containing a path separator may allow an attacker to execute an arbitrary\nbinary.\n\nSuch a plugin name can be provided to the `rage` CLI through an attacker-controlled\nrecipient or identity string, or an attacker-controlled plugin name via the `-j` flag.\n\nOn UNIX systems, a directory matching `age-plugin-*` needs to exist in the working\ndirectory for the attack to succeed.\n\nThe binary is executed with a single flag, either `--age-plugin=recipient-v1` or\n`--age-plugin=identity-v1`. The standard input includes the recipient or identity string,\nand the random file key (if encrypting) or the header of the file (if decrypting). The\nformat is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol.\n\nAn equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age),\nsee advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c).\n\nThanks to ⬡-49016 for reporting this issue.","aliases":["GHSA-4fg7-vxc8-qx5w","RUSTSEC-2024-0433"],"modified":"2026-02-04T03:22:44.974366Z","published":"2024-12-18T12:00:00Z","related":["GHSA-32gq-x56h-299c"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rage"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0432.html"},{"type":"ADVISORY","url":"https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w"}],"affected":[{"package":{"name":"rage","ecosystem":"crates.io","purl":"pkg:cargo/rage"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.6.0"},{"fixed":"0.6.1"},{"introduced":"0.7.0"},{"fixed":"0.7.2"},{"introduced":"0.8.0"},{"fixed":"0.8.2"},{"introduced":"0.9.0"},{"fixed":"0.9.3"},{"introduced":"0.10.0"},{"fixed":"0.10.1"},{"introduced":"0.11.0"},{"fixed":"0.11.1"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0432.json","categories":["code-execution"],"cvss":null}}],"schema_version":"1.7.3"}