CVE-2024-56327: 
Python vulnerability analysis and mitigation

pyrage is a set of Python bindings for the rage file encryption library (age in Rust). The vulnerability affects versions 1.2.0 through 1.2.2, where a plugin name containing a path separator may allow an attacker to execute arbitrary binary through attacker-controlled recipient or identity strings. The issue was discovered and disclosed on December 19, 2024, and has been assigned CVE-2024-56327. Versions of pyrage before 1.2.0 are not affected as they lack plugin support (GitHub Advisory).

The vulnerability stems from pyrage's use of the Rust age crate for underlying operations. On UNIX systems, a directory matching ${TMPDIR:-/tmp}/age-plugin-* needs to exist for the attack to succeed. When exploited, the binary is executed with a single flag (either --age-plugin=recipient-v1 or --age-plugin=identity-v1). The standard input includes the recipient or identity string, and either the random file key (if encrypting) or the file header (if decrypting). The format is constrained by the age-plugin protocol (Age Advisory).

The vulnerability allows attackers to execute arbitrary binaries through maliciously crafted plugin names, recipients, or identities. This could potentially lead to unauthorized code execution on affected systems (Rage Advisory).

The vulnerability has been patched in version 1.2.3, and all users are advised to upgrade to this version. There are no known workarounds for this vulnerability (GitHub Advisory).