
The Apache Arrow R package has been identified with a critical security vulnerability impacting versions 4.0.0 through 16.1.0, could allow attackers to execute arbitrary code on systems processing maliciously crafted data files.
The flaw tracked as CVE-2024-52338 with a CVSS score of 9.8 stems from insecure deserialization of data in IPC and Parquet readers within the affected versions of the R package. Applications reading Arrow IPC, Feather, or Parquet files from untrusted sources, such as user-supplied input files, are particularly vulnerable.
If exploited, it allows attackers to compromise systems and potentially gain unauthorized access to sensitive data. It is crucial to note that this vulnerability is specific to the Apache Arrow R package and does not directly impact other Apache Arrow implementations or bindings.
The Apache Software Foundation urges users to upgrade to version 17.0.0 or later of the Apache Arrow R package immediately. Downstream libraries depending on the affected package should also update their dependencies accordingly.
For users unable to immediately upgrade, a temporary workaround involves reading untrusted data into a Table and utilizing its internal to_data_frame() method.


