CVE-2024-52338

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it <br /> reads Arrow IPC, Feather or Parquet data from untrusted sources (for <br /> example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow <br /> implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it<br /> is recommended that downstream libraries upgrade their dependency <br /> requirements to arrow 17.0.0 or later. If using an affected<br /> version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()).<br /> <br /> <br /> This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0.<br /> <br /> <br /> Users are recommended to upgrade to version 17.0.0, which fixes the issue.