Radare2
Monthly
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
Command injection in radare2's DWARF parsing (afsv/afsvj commands) allows local attackers to execute arbitrary shell commands by embedding malicious r2 command sequences in specially crafted ELF binaries. When a user opens the malicious binary and runs analysis commands (aaa followed by afsvj), unsanitized DW_TAG_formal_parameter names are interpolated into pfq command strings, triggering code execution. Fixed in commit bc5a890. EPSS data not available, not in CISA KEV. Publicly disclosed with patch and technical details from VulnCheck.
Command injection in radare2's PDB parser (versions <6.1.4) enables arbitrary command execution when analysts process maliciously crafted PE/PDB files containing newline bytes in section header names. Attack requires local file access and user interaction (opening the file with radare2's idp command). Publicly available exploit exists with EPSS score of 0.07% (22nd percentile), indicating low likelihood of mass exploitation but significant risk for targeted attacks against reverse engineers and malware analysts who routinely examine untrusted binaries.
A vulnerability has been found in Radare2 5.9.9.
A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in radareorg radare2 allows Overflow Buffers.9.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds Write vulnerability in radareorg radare2 allows heap-based buffer over-read or buffer overflow.9.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A vulnerability, which was classified as problematic, was found in radare2 5.9.9 33286. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
Command injection in radare2's DWARF parsing (afsv/afsvj commands) allows local attackers to execute arbitrary shell commands by embedding malicious r2 command sequences in specially crafted ELF binaries. When a user opens the malicious binary and runs analysis commands (aaa followed by afsvj), unsanitized DW_TAG_formal_parameter names are interpolated into pfq command strings, triggering code execution. Fixed in commit bc5a890. EPSS data not available, not in CISA KEV. Publicly disclosed with patch and technical details from VulnCheck.
Command injection in radare2's PDB parser (versions <6.1.4) enables arbitrary command execution when analysts process maliciously crafted PE/PDB files containing newline bytes in section header names. Attack requires local file access and user interaction (opening the file with radare2's idp command). Publicly available exploit exists with EPSS score of 0.07% (22nd percentile), indicating low likelihood of mass exploitation but significant risk for targeted attacks against reverse engineers and malware analysts who routinely examine untrusted binaries.
A vulnerability has been found in Radare2 5.9.9.
A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in radareorg radare2 allows Overflow Buffers.9.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds Write vulnerability in radareorg radare2 allows heap-based buffer over-read or buffer overflow.9.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A vulnerability, which was classified as problematic, was found in radare2 5.9.9 33286. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.