GHSA-47h8-jmp3-9f28: pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

December 19, 2024

pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w.

All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.

Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected.

An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.

Thanks to ⬡-49016 for reporting this issue.

References

github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
github.com/advisories/GHSA-47h8-jmp3-9f28
github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
github.com/woodruffw/pyrage
github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28

Detect and mitigate GHSA-47h8-jmp3-9f28 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →