CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26103
https://notcve.org/view.php?id=CVE-2023-26103
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. • https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409 https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06 https://github.com/denoland/deno/pull/17722 https://github.com/denoland/deno/releases/tag/v1.31.0 https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22499 – Interactive permission prompt spoofing in Deno
https://notcve.org/view.php?id=CVE-2023-22499
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message. This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing sensitive and can’t be reliably reproduced on every try. • https://github.com/denoland/deno/pull/17392 https://github.com/denoland/deno/security/advisories/GHSA-mc52-jpm2-cqh6 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32619 – Static imports inside dynamically imported modules do not adhere to permission checks
https://notcve.org/view.php?id=CVE-2021-32619
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2. Deno es un tiempo de ejecución para JavaScript y TypeScript que usa V8 y está construido en Rust. En versiones 1.5.0 hasta 1.10.1 de Deno, los módulos que son importados dinámicamente mediante las funciones "import()" o "new Worker" podrían haber sido capaces de omitir las comprobaciones de permisos de la red y del sistema de archivos al importar de forma estática otros módulos. • https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •