Arbitrary Code Execution in Apache Arrow R Package Through Deserialization
The Apache Arrow R package versions from 4.0.0 to 16.1.0 have a problem. If an app reads Arrow IPC, Feather, or Parquet data from untrusted sources, it can execute any code. This vulnerability only affects the arrow R package, not other Apache Arrow versions or bindings unless they are used with the R package. For example, if an R app uses PyArrow through a Python interpreter and deals with untrusted data, it is still at risk if using a vulnerable arrow version. It is advised to update the arrow R package to version 17.0.0 or later. Also, downstream libraries should update their dependencies to the same version or later. If using a vulnerable version, untrusted data can be read into a Table. The workaround is to use the to_data_frame() method, like read_parquet(..., as_data_frame = FALSE)$to_data_frame(). The problem affects Apache Arrow R package versions 4.0.0 to 16.1.0. Users should upgrade to version 17.0.0 to fix the issue.