Login Sign Up

CVE-2021-3013

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in ripgrep on Windows allows attackers to execute arbitrary programs from the current working directory when using the -z/--search-zip or --pre flags. Attackers can exploit this by tricking users into running ripgrep in a directory containing malicious executables. Only Windows users of ripgrep versions before 13 are affected.

💻 Affected Systems

Products:
  • ripgrep
Versions: All versions before 13.0.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems; Linux/macOS versions are not vulnerable. The vulnerability requires using the -z/--search-zip or --pre flags.

📦 What is this software?

Ripgrep by Ripgrep Project

View all CVEs affecting Ripgrep →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution with the privileges of the user running ripgrep, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or execution of malicious payloads when users run ripgrep in untrusted directories, especially in development or build environments.

🟢

If Mitigated

Limited impact if users only run ripgrep in trusted directories and with restricted privileges, though the vulnerability remains present.

🌐 Internet-Facing: LOW - ripgrep is typically a command-line tool not directly exposed to the internet.
🏢 Internal Only: HIGH - Internal users, especially developers and system administrators, frequently use ripgrep in various directories, creating significant attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (running ripgrep with vulnerable flags) and placing malicious executables in the current working directory. No authentication bypass needed beyond local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.0.0 and later

Vendor Advisory: https://github.com/BurntSushi/ripgrep/blob/master/CHANGELOG.md

Restart Required: No

Instructions:

1. Update ripgrep to version 13.0.0 or later using your package manager or download from GitHub. 2. For Windows: Download latest release from https://github.com/BurntSushi/ripgrep/releases. 3. Replace existing rg.exe with new version.

🔧 Temporary Workarounds

Avoid vulnerable flags

windows

Do not use -z/--search-zip or --pre flags on Windows systems

Restrict directory access

windows

Only run ripgrep in trusted directories with controlled content

🧯 If You Can't Patch

  • Remove ripgrep from Windows systems or restrict its use to trusted administrators only
  • Implement application whitelisting to prevent execution of unauthorized programs from current working directory

🔍 How to Verify

Check if Vulnerable:

Run 'rg --version' and check if version is below 13.0.0 on Windows

Check Version:

rg --version

Verify Fix Applied:

Run 'rg --version' and confirm version is 13.0.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Process execution logs showing ripgrep spawning unexpected child processes
  • Windows Event Logs showing execution of programs from unusual locations

Network Indicators:

  • Unexpected outbound connections following ripgrep execution

SIEM Query:

Process creation where parent process contains 'rg.exe' and child process is not expected

📊 Metadata

CVE ID: CVE-2021-3013
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON