Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows

Vulnerability

CVE-2024-24576 affects the Rust standard library (prior to version 1.77.2) on Windows when spawning processes via the Command API [1][2]. The vulnerability lies in the argument‑escaping logic for batch files (.bat, .cmd). The Command::arg and Command::args methods promise to pass arguments as‑is without shell interpretation [1][2]. However, cmd.exe uses non‑standard argument splitting, and the library’s escaping was insufficient, allowing an attacker who controls untrusted arguments to inject arbitrary shell commands. Only Windows targets using bat or cmd extensions are affected.

Exploitation

An attacker must be able to supply the arguments passed to a Command that invokes a batch file (e.g., "cmd", ".bat"). No special network position is required if the untrusted input reaches the process builder. The attacker crafts a malicious argument payload that bypasses the standard library’s escaping; when cmd.exe processes the command line, the injected shell commands execute. No additional privileges beyond the ability to provide arguments are needed, and no user interaction beyond launching the program with the crafted input is required.

Impact

Successful exploitation grants the attacker arbitrary shell command execution on the Windows host, at the privilege level of the spawned process. This constitutes a critical compromise of confidentiality, integrity, and availability (CIA). The Rust Security Response WG classifies the severity as critical for any application that invokes batch files with untrusted arguments [source description].

Mitigation

The fix is included in Rust version 1.77.2, released 2024-04-09 [source description]. The standard library now returns an InvalidInput [ErrorKind] [4] error when it cannot safely escape an argument, rather than silently allowing injection. Users should update to Rust 1.77.2 or later. For situations where an upgrade is not immediately possible, applications should avoid passing untrusted arguments to batch files on Windows or use alternative argument‑passing techniques that bypass cmd.exe.