Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade deno
to version 1.39.1 or higher.
deno is an a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust.
Affected versions of this package are vulnerable to Unverified Ownership due to the use of raw file descriptors in op_node_ipc_pipe()
, which leads to the premature closure of arbitrary file descriptors. This allows standard input to be closed and re-opened as a different resource, enabling a silent permission prompt bypass. An attacker controlling the code executed inside a Deno runtime can achieve arbitrary code execution on the host machine regardless of permissions.
This is made more exploitable by widening the race window between clear_stdin()
and the subsequent stdin_lock.read_line()
, especially when requesting a resource with a very long name to delay the prompt, allowing another Worker to close fd 0
and open a resource starting with an A\n
within the race window. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.