RUSTSEC-2024-0433: 
Rust vulnerability analysis and mitigation

The vulnerability (RUSTSEC-2024-0433) affects the Rust implementation of age encryption tool, specifically in the rage crate. The issue was discovered and disclosed on December 18, 2024, affecting multiple versions of both age and rage crates (0.6.0 through 0.11.0). The vulnerability allows malicious plugin names to potentially execute arbitrary binaries through path separator manipulation (GitHub Advisory).

The vulnerability stems from insufficient validation of plugin names containing path separators. The issue can be exploited through attacker-controlled recipient or identity strings in the rage CLI, or through specific age APIs when the plugin feature flag is enabled. The affected APIs include age::plugin::Identity::fromstr, age::plugin::Identity::defaultforplugin, age::plugin::IdentityPluginV1::new, age::plugin::Recipient::fromstr, and age::plugin::RecipientPluginV1::new. On UNIX systems, exploitation requires the existence of a directory matching age-plugin-* in the working directory (GitHub Advisory).

If successfully exploited, this vulnerability could lead to arbitrary binary execution on the target system. The binary would be executed with specific flags (--age-plugin=recipient-v1 or --age-plugin=identity-v1) and would have access to the recipient or identity string and either the random file key during encryption or the file header during decryption (GitHub Advisory).

The vulnerability has been patched in versions 0.6.1, 0.7.2, 0.8.2, 0.9.3, 0.10.1, and 0.11.1 of both age and rage crates. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).

The vulnerability was reported by ⬡-49016 and was also identified and fixed in the reference Go implementation of age (GHSA-32gq-x56h-299c) (GitHub Advisory).