CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27934 – *const c_void / ExternalPointer unsoundness leading to use-after-free
https://notcve.org/view.php?id=CVE-2024-27934
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code... • https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27933 – Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-27933
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file... • https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27932 – Deno's improper suffix match testing for DENO_AUTH_TOKENS
https://notcve.org/view.php?id=CVE-2024-27932
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue Deno es un ... • https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27931 – Insufficient permission checking in `Deno.makeTemp*` APIs
https://notcve.org/view.php?id=CVE-2024-27931
05 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1. • https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33966 – Deno missing "--allow-net" permission check for built-in Node modules
https://notcve.org/view.php?id=CVE-2023-33966
31 May 2023 — Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. • https://github.com/denoland/deno/releases/tag/v1.34.1 • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-28446 – Deno is vulnerable to interactive `run` permission prompt spoofing via improper ANSI neutralization
https://notcve.org/view.php?id=CVE-2023-28446
24 Mar 2023 — Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive pr... • https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28445 – Deno improperly handles resizable ArrayBuffer
https://notcve.org/view.php?id=CVE-2023-28445
23 Mar 2023 — Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. • https://github.com/denoland/deno/pull/18395 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26103
https://notcve.org/view.php?id=CVE-2023-26103
25 Feb 2023 — Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. • https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22499 – Interactive permission prompt spoofing in Deno
https://notcve.org/view.php?id=CVE-2023-22499
17 Jan 2023 — Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message. This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing sensitive a... • https://github.com/denoland/deno/pull/17392 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-41641
https://notcve.org/view.php?id=CVE-2021-41641
12 Jun 2022 — Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory. Deno versiones anteriores a 1.14.0 incluyéndola, el sandbox de archivo no maneja correctamente los enlaces simbólicos. Cuando es ejecutado Deno con un acceso de escritura específico, el método Deno.symlink puede usarse para acceder a cualquier directorio • https://github.com/denoland/deno/issues/12152 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •