CVE-2024-53256

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-53256

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53256.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-53256

Aliases

GHSA-5jhc-frm4-p8v9

Published

2024-12-23T15:17:50Z

Modified

2025-10-30T20:31:20.154391Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Rizin has a command injection via RzBinInfo bclass due legacy code

Details

Rizin is a UNIX-like reverse engineering framework and command-line toolset. rizin.c still had an old snippet of code which suffered a command injection due the usage of rz_core_cmdf to invoke the command m which was removed in v0.1.x. A malicious binary defining bclass (part of RzBinInfo) is executed if rclass (part of RzBinInfo) is set to fs; the vulnerability can be exploited by any bin format where bclass and rclass are user defined. This vulnerability is fixed in 0.7.4.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Git / github.com/rizinorg/rizin

Affected ranges

Type: GIT
Repo: https://github.com/rizinorg/rizin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f1af5c8d9e99f4c6adc07a7b2623d19cb8850ab3

Affected versions

0.*

0.1.0

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.7.2

v0.7.3