GHSA-4fg7-vxc8-qx5w: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-4fg7-vxc8-qx5w) affects the rage file encryption library and its Python bindings (pyrage). The issue allows attackers to execute arbitrary binaries through malicious plugin names containing path separators. This vulnerability was discovered in December 2024 and affects multiple versions of the age and rage packages (GitHub Advisory).

The vulnerability exists when plugin names containing path separators are processed by the system. The attack can be triggered through attacker-controlled recipient or identity strings, or through specific API calls when the plugin feature flag is enabled. For successful exploitation on UNIX systems, a directory matching age-plugin-* must exist in the working directory. The executed binary receives a single flag (--age-plugin=recipient-v1 or --age-plugin=identity-v1) and receives input through stdin including the recipient/identity string and either the random file key or file header (RustSec Advisory).

When successfully exploited, this vulnerability allows attackers to execute arbitrary binaries on the target system. The impact is particularly significant in environments where untrusted input is processed through the affected APIs or CLI interfaces (GitHub Advisory).

The vulnerability has been patched in multiple versions: age/rage 0.6.1, 0.7.2, 0.8.2, 0.9.3, 0.10.1, and 0.11.1. The fix restricts plugin names to only contain alphanumeric characters or the special characters +-._ Users are strongly advised to upgrade to these patched versions. For pyrage users, version 1.2.3 contains the fix (GitHub Commit).