Critical ‘BatBadBut’ Rust Vulnerability Exposes Windows Systems to Attacks

Critical ‘BatBadBut’ Rust Vulnerability Exposes Windows Systems to Attacks

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.

The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.

The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).

The vulnerability, per CERT/CC, is the result of programming languages lacking adequate validation mechanisms when invoking commands within a Microsoft Windows environment, thereby permitting attackers to execute arbitrary code that’s disguised as arguments to the command.

“The complete impact of this vulnerability depends on the implementation that uses a vulnerable programming language or such a vulnerable module,” it added.


“To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK said in a word of advice to users.

“In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.”