high
8.8
CWE
78 88
Advisory Published
Updated

CVE-2024-43402: Rust OS Command Injection/Argument Injection vulnerability

First published: Wed Sep 04 2024(Updated: )

Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. Windows removes trailing whitespace and periods when parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`, but the original fix didn't check for that. Affected users who are using Rust 1.77.2 or greater can remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) from the batch file name to bypass the incomplete fix and enable the mitigations. Users are affected if their code or one of their dependencies invoke a batch script on Windows with trailing whitespace or trailing periods in the name, and pass untrusted arguments to it. Rust 1.81.0 will update the standard library to apply the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing chars in the file name.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Rust<1.81.0

Remedy

https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/file-folder-name-whitespace-characters

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-43402?

    CVE-2024-43402 is considered to have a moderate severity due to the potential for bypassing security measures.

  • How do I fix CVE-2024-43402?

    To fix CVE-2024-43402, upgrade Rust to version 1.81.0 or later where the vulnerability has been addressed.

  • Who is affected by CVE-2024-43402?

    CVE-2024-43402 affects users of Rust versions prior to 1.81.0.

  • What is the cause of CVE-2024-43402?

    CVE-2024-43402 is caused by an incomplete fix for argument escaping in `std::process::Command` when invoking batch files on Windows.

  • Is CVE-2024-43402 related to any other vulnerabilities?

    Yes, CVE-2024-43402 is related to CVE-2024-24576 as it stems from an incomplete fix for that earlier vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203