RUSTSEC-2024-0432: 
Rust vulnerability analysis and mitigation

A security vulnerability was discovered in the rage encryption tool affecting multiple versions (0.6.0 through 0.11.0). The vulnerability allows malicious plugin names, recipients, or identities to potentially cause arbitrary binary execution. This issue was disclosed on December 18, 2024, affecting both the 'age' and 'rage' Rust packages (GitHub Advisory).

The vulnerability occurs when a plugin name containing a path separator is processed by the rage CLI through an attacker-controlled recipient or identity string. The issue affects several APIs when the plugin feature flag is enabled, including age::plugin::Identity::fromstr, age::plugin::Identity::defaultforplugin, age::plugin::IdentityPluginV1::new, age::plugin::Recipient::fromstr, and age::plugin::RecipientPluginV1::new. On UNIX systems, exploitation requires the existence of a directory matching age-plugin-* in the working directory. The executed binary receives a single flag (--age-plugin=recipient-v1 or --age-plugin=identity-v1) and input through stdin including the recipient/identity string and either the random file key or file header (GitHub Advisory).

The vulnerability could lead to arbitrary binary execution on affected systems, potentially compromising system security. The issue has been classified as 'Moderate' severity and is associated with CWE-25 (GitHub Advisory).

The vulnerability has been patched in versions 0.6.1, 0.7.2, 0.8.2, 0.9.3, 0.10.1, and 0.11.1 of both the age and rage packages. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).