HiddenLayer, a security firm, has identified a high-severity vulnerability, CVE-2024-27322, in the R programming language.

The flaw allows arbitrary code execution by deserializing untrusted data and affects critical sectors like government and healthcare.

Attackers can exploit the vulnerability by crafting malicious RDS files, taking advantage of R's promise objects and lazy evaluation.

The vulnerability has been fixed in R version 4.4.0, released on April 24, 2024, after collaboration between HiddenLayer, R's maintainers, and CISA.

Given R's widespread use and the common practice of sharing packages, it is essential for organizations to update R and educate users on security.