HiddenLayer Uncovers Deserialization Vulnerability in Open-Source Programming Language, R
Vulnerability Threatens Users in Critical Government, Medical, and Financial Sectors
R is an open-source programming language and software environment for statistical computing, data visualization, and machine learning. HiddenLayer researchers discovered a vulnerability, CVE-2024-27322, that allows for arbitrary code execution by deserializing untrusted data. This can be exploited through the loading of RDS (R Data Serialization) files or R packages, which are often shared between developers and data scientists. Researchers found that an attacker could create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim's target device upon interaction.
This carries significant implications given the widespread use of the R language among major organizations in the healthcare, finance, and government industries, as evidenced by R conferences which previously featured speakers from NASA, the World Health Organization (WHO), the US Food and Drug Administration (FDA), and the US Army. R has also become increasingly popular in the AI/ML field due to its usage of large datasets and dedicated following in the open-source community, with projects like Bioconductor being referenced in their documentation, boasting over 42 million downloads, and The Comprehensive R Archive Network (CRAN) repository hosting over 20,000 packages to date. Projects containing potentially vulnerable code were found within GitHub repositories from
"R is indispensable across many critical sectors for its analytical capabilities and growing popularity to power machine learning projects. Its collaborative ecosystem fosters flexibility and innovation," said
As the rapid integration of AI outpaces the deployment of adequate security measures, organizations must implement more stringent security protocols for AI technologies. HiddenLayer's AISec Platform provides a comprehensive suite of products designed to safeguard ML models against adversarial attacks, vulnerabilities, and malicious code injections, offering organizations defense against emerging threats to AI. The AISec Platform will provide protection from this vulnerability in its Q2 product release.
Learn more about this vulnerability in HiddenLayer's blog post "R-bitrary Code Execution: Vulnerability in R's Deserialization."
Following our responsible disclosure process, HiddenLayer worked closely with the team at R who worked quickly to patch this vulnerability within the most recent release - R v4.4.0, and CISA to support remediation efforts.
About HiddenLayer
HiddenLayer is the leading provider of security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft's Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.
Contact
SutherlandGold for HiddenLayer
[email protected]
View original content to download multimedia:https://www.prnewswire.com/news-releases/hiddenlayer-uncovers-deserialization-vulnerability-in-open-source-programming-language-r-302129915.html
SOURCE HiddenLayer
Serious News for Serious Traders! Try StreetInsider.com Premium Free!
You May Also Be Interested In
- JALIL LOPEZ RETURNS TO THE BILLBOARD CHARTS FOLLOWING THE RELEASE OF THE OFFICIAL MUSIC VIDEO FOR "LA CULPABLE"
- Perspective Therapeutics Announces Acceptance of VMT-α-NET Data for Oral Presentation at the ESMO Congress 2026
- CVS Pharmacy® celebrates opening of first pharmacy-focused location in Houston
Create E-mail Alert Related Categories
PRNewswire, Press ReleasesRelated Entities
FDASign up for StreetInsider Free!
Receive full access to all new and archived articles, unlimited portfolio tracking, e-mail alerts, custom newswires and RSS feeds - and more!



Tweet
Share