CVE-2021-3013
Description
ripgrep before 13 on Windows allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/--search-zip or --pre flag.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
On Windows, ripgrep before version 13 can execute arbitrary programs from the current directory via the -z/--search-zip or --pre flags.
Vulnerability
In ripgrep versions before 13.0.0 on Windows, the -z/--search-zip and --pre flags do not properly sanitize executables resolved from the current working directory. This allows an attacker to place a malicious executable in a directory and trigger its execution when ripgrep processes files in that directory. The vulnerability is specific to the Windows platform due to how executable resolution interacts with the -z and --pre flags [3].
Exploitation
An attacker must be able to place a crafted executable in the current working directory from which a victim runs ripgrep with either the -z/--search-zip or --pre flag. The attacker does not need special privileges; any low-privilege user who can write files to that directory can set up the malicious executable. When the victim executes rg -z or rg --pre in that directory, ripgrep will invoke the executable without adequate validation, leading to arbitrary code execution [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the user running ripgrep. This compromises the confidentiality, integrity, and availability of the victim's system, potentially leading to full system compromise depending on the attacker's payload and the victim's privileges [3].
Mitigation
The vulnerability is fixed in ripgrep version 13.0.0, released on 2021-06-12 [1][3]. Users on Windows should update to ripgrep 13.0.0 or later immediately. There is no known workaround other than avoiding use of the -z/--search-zip and --pre flags in untrusted directories on Windows until the update is applied.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ripgrepcrates.io | < 13.0.0 | 13.0.0 |
grep-clicrates.io | < 0.1.6 | 0.1.6 |
Affected products
5- ripgrep/ripgrepdescription
- Range: <13
- ghsa-coords3 versions
< 0.1.6+ 2 more
- (no CPE)range: < 0.1.6
- (no CPE)range: < 13.0.0
- (no CPE)range: < 13.0.0-2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-g4xg-fxmg-vcg5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3013ghsaADVISORY
- github.com/BurntSushi/ripgrep/blob/e48a17e1891e1ea9dd06ba0e48d5fb140ca7c0c4/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/BurntSushi/ripgrep/blob/master/CHANGELOG.mdghsax_refsource_CONFIRMWEB
- github.com/BurntSushi/ripgrep/blob/master/CHANGELOG.mdghsaWEB
- github.com/BurntSushi/ripgrep/issues/1773ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0071.htmlghsaWEB
News mentions
0No linked articles in our index yet.