N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4fg7-vxc8-qx5w

EPSS Score

CWE

CWE-25

Published

12/18/2024

Updated

1/3/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4fg7-vxc8-qx5w

GHSA-4fg7-vxc8-qx5w: rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.

Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled:

On UNIX systems, a directory matching age-plugin-* needs to exist in the working directory for the attack to succeed.

The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.

An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.

Thanks to ⬡-49016 for reporting this issue.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4fg7-vxc8-qx5w

EPSS Score

CWE

CWE-25

Published

12/18/2024

Updated

1/3/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rage	rust	= 0.6.0	0.6.1
age	rust	= 0.6.0	0.6.1
age	rust	>= 0.7.0, < 0.7.2	0.7.2
age	rust	>= 0.8.0, < 0.8.2	0.8.2
age	rust	>= 0.9.0, < 0.9.3	0.9.3
age	rust	= 0.10.0	0.10.1
age	rust	= 0.11.0	0.11.1
rage	rust	>= 0.7.0, < 0.7.2	0.7.2
rage	rust	>= 0.8.0, < 0.8.2	0.8.2
rage	rust	>= 0.9.0, < 0.9.3	0.9.3
rage	rust	= 0.10.0	0.10.1
rage	rust	= 0.11.0	0.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation of plugin names in multiple API entry points. The commit diff shows added validation logic in age/src/plugin.rs for these specific functions, confirming they previously lacked proper sanitization. Advisory documents explicitly list these functions as attack vectors when processing attacker-controlled inputs. The functions construct plugin binaries using untrusted names without restricting special characters, enabling path traversal attacks on UNIX systems when combined with age-plugin-* directories.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* plu*in n*m* *ont*inin* * p*t* s*p*r*tor m*y *llow *n *tt**k*r to *x**ut* *n *r*itr*ry *in*ry. Su** * plu*in n*m* **n ** provi*** to t** `r***` *LI t*rou** *n *tt**k*r-*ontroll** r**ipi*nt or i**ntity strin*, or to t** *ollowin* `***` *PIs w**n t**

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt `v*li**tion` o* plu*in n*m*s in multipl* *PI *ntry points. T** *ommit *i** s*ows ***** `v*li**tion` lo*i* in `***/sr*/plu*in.rs` *or t**s* sp**i*i* `*un*tions`, *on*irmin* t**y pr*viously l**k** prop*r s*niti

N/A

Basic Information

Concerned about an active attack path?

GHSA-4fg7-vxc8-qx5w: rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI