CVE-2024-53256

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53256
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53256.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53256
Aliases
  • GHSA-5jhc-frm4-p8v9
Published
2024-12-23T16:15:06Z
Modified
2025-09-19T15:11:15.799219Z
Summary
[none]
Details

Rizin is a UNIX-like reverse engineering framework and command-line toolset. rizin.c still had an old snippet of code which suffered a command injection due the usage of rz_core_cmdf to invoke the command m which was removed in v0.1.x. A malicious binary defining bclass (part of RzBinInfo) is executed if rclass (part of RzBinInfo) is set to fs; the vulnerability can be exploited by any bin format where bclass and rclass are user defined. This vulnerability is fixed in 0.7.4.

References

Affected packages

Git / github.com/rizinorg/rizin

Affected ranges

Type
GIT
Repo
https://github.com/rizinorg/rizin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
db6c5b39c065ce719f587c9815c47fbb834b10fa

Affected versions

v0.*

v0.7.0
v0.7.1

Database specific 

{
    "vanir_signatures": [
        {
            "target": {
                "file": "librz/main/rizin.c"
            },
            "id": "CVE-2024-53256-57653183",
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "176666271852239306400846681101879132418",
                    "250681000660679485998367055926979244251",
                    "134927983197663603695150419731225844746",
                    "251063704295113106393899693552418825907",
                    "164786856398000612859508854850331196438",
                    "307328731553542586228795441788106304174",
                    "238116822458271588704292294958200398129"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/rizinorg/rizin/commit/db6c5b39c065ce719f587c9815c47fbb834b10fa",
            "deprecated": false,
            "signature_type": "Line"
        },
        {
            "target": {
                "function": "rz_main_rizin",
                "file": "librz/main/rizin.c"
            },
            "id": "CVE-2024-53256-9c8dcf97",
            "signature_version": "v1",
            "digest": {
                "length": 25170.0,
                "function_hash": "283979120332574894122836435802239515964"
            },
            "source": "https://github.com/rizinorg/rizin/commit/db6c5b39c065ce719f587c9815c47fbb834b10fa",
            "deprecated": false,
            "signature_type": "Function"
        }
    ]
}