Press Release

Comment on BadBatBut Vulnerability: Satnam Narang, Senior Staff Research Engineer at Tenable

“Recently, a security researcher known as “RyotaK” disclosed a vulnerability in multiple programming languages that can lead to a command injection on Windows systems based on a certain set of conditions.  The flaw, dubbed BatBadBut, arises from how batch files are handled. The researcher described the flaw as related to “batch files and badbut not the worst” implying that while the flaw is bad, it is certainly not the worst.

“A number of programming languages are affected, though several are merely providing documentation updates including Python, Ruby, GO and Erlang, while patches are available for Haskell, Node.js, PHP and Rust. Rust published an advisory, assigning a CVSSv3 score of 10.0 for the flaw. RyotaK cautioned that the CVSS score reflected for this vulnerability is calculated using the worst-case scenario, which is why Rust assigned it the maximum CVSS score. 


“This isn’t an “internet-breaking” vulnerability and will likely not have a significant impact on most users or even developers or maintainers of software. For those affected programming languages or applications, applying the patches themselves is generally good practice as is following the guidelines for escaping user-controlled input as well as the other guidance shared.”