CVE-2024-43402: 
Homebrew vulnerability analysis and mitigation

The vulnerability (CVE-2024-43402) affects Rust's standard library, specifically related to an incomplete fix for CVE-2024-24576. The issue involves std::process::Command incorrectly escaping arguments when invoking batch files on Windows. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods, which are ignored and stripped by Windows (Rust Blog, GitHub Advisory).

The original fix for CVE-2024-24576 checked whether the command name ended with .bat or .cmd to determine whether to apply the cmd.exe escaping rules. However, Windows removes trailing whitespace and periods when parsing file paths. For example, a file named .bat. . is interpreted by Windows as .bat, but the original fix didn't account for this behavior. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability affects users who execute batch scripts on Windows with untrusted arguments, specifically when the batch file name contains trailing whitespace or periods. The severity is considered low due to the niche conditions required to trigger the vulnerability, despite the high CVSS score (GitHub Advisory).

The vulnerability has been fixed in Rust 1.81.0, released on September 5th, 2024. The update applies the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing characters in the file name. For users on earlier versions (1.77.2 or greater), a temporary workaround is to remove trailing whitespace and periods from batch file names (GitHub Advisory, Microsoft Docs).